Zscaler enables organizations to bring their own IP addresses to its Zero Trust Exchange platform. With Bring Your Own IP (BYOIP), companies can maintain their network identity while leveraging Zero Trust architecture.
For many organizations, static IP addresses remain operationally important, despite the shift to Zero Trust architectures. SaaS platforms, partner networks, and regulatory agencies often still rely on IP address whitelisting for access control. Zscaler now supports both customer-assigned dedicated IPs and customer-owned dedicated IPs through BYOIP.
With BYOIP, companies can bring their IPv4 prefixes registered with a Regional Internet Registry (RIR) such as ARIN, APNIC, or RIPE. After validation by Zscaler, these customer-owned IP ranges are made available as Zscaler Managed Dedicated IPs for policy and outbound traffic.
Validation and security
The technical implementation revolves around two validation pillars. First, a ROA (Route Origin Authorization), a cryptographically signed object in your RIR that authorizes a specific Autonomous System Number (ASN) to originate your route. Second, a customer-signed BYOIP message that links your prefix to your organization.
Zscaler uses industry-standard ROA and RPKI validation to ensure the integrity of route origins. The routing system checks the ROA status before placing an advertisement. Cryptographic attestation with x.509-signed messages ensures that requests match RIR-published materials.
By linking ROA to a specific Zscaler ASN per region, organizations determine where their prefixes appear. This is for data residency requirements or performance requirements.