Manage Network Connections

There are two ways to direct traffic to resources.

Configure Network Tunnel Groups to route traffic from remote and on-premises users to the internet and to private destinations managed by your organization, and to route branch-to-branch traffic.

For connections to configured private resources, Secure Access supports multiple ways to direct traffic from your users: Network Tunnel Groups and Resource Connector Groups. Both involve virtual machine instances deployed on your network.

For details, see Comparison of Network Connection Methods.

You can configure either or both of these connection methods.

IPsec Network Tunnels

Secure Access enables fast, reliable, and secure private network connections to your applications through IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnels. Network devices that are capable of establishing IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnels forward traffic to one of the Secure Access data centers where the tunnel head end is located. For more information, see Manage Network Tunnel Groups.

User devices can read, write, and update private resources by setting up virtual private networks (VPNs) or zero trust network access (ZTNA) connections to Secure Access through IPsec network tunnels.

Resource Connector Groups

Resource connectors are virtual machine instances that you provision in Secure Access and deploy inside your network, to provide zero trust access connectivity between user devices and your organization's private resources. Resource connectors are deployed and managed in groups.

For details, see Comparison of Network Connection Methods.

You will add resource connector groups first, then add connectors to each group. See Manage Resource Connectors and Connector Groups.

Comparison of Network Connection Methods

For a comparison of Resource Connectors (in groups) and Network Tunnels, see Comparison of Network Connection Methods.

If a Private Resource is Served by Both a Tunnel Group and a Connector Group

If both a network tunnel group and a connector group with connectors are properly configured for the same area, a connector forwards Zero Trust Access traffic by default. If all connectors in the connector group are not reachable, the network tunnel routes the traffic. If the connector group is reachable but the request fails for some reason, traffic will not fall back to the tunnel and the connection will fail.

Network Requirements for Secure Access > Manage Network Connections > Manage Network Tunnel Groups