The concept of throughput for the Zscaler Cloud Connector is central to designing secure cloudconnected environments that rely on the Zscaler Zero Trust Exchange. As organizations migrate workloads to public clouds, hybrid data centres and remote sites, understanding how many gigabits per second can be forwarded through each Cloud Connector instance and how to scale out multiple instances becomes a practical concern. Throughput affects performance, scalability, cost and ultimately whether you can deliver a smooth enduser and application experience. This topic explores what throughput means in the context of Zscaler Cloud Connector, typical sizing guidance, scalability models, practical design considerations and monitoring tips to ensure your deployment meets the demands of modern traffic forwarding.
What is Zscaler Cloud Connector and Why Throughput Matters
The Zscaler Cloud Connector is a virtual machinebased component deployed within a public cloud region (such as AWS, Azure or GCP) or onpremises, which securely forwards traffic from workloads or networks into the Zscaler Zero Trust platform. contentReference[oaicite2] It might handle outbound internet traffic from cloud workloads, workloadtoworkload traffic between regions, or ingress/egress traffic for SaaS applications via Zscaler Internet Access (ZIA) or Zscaler Private Access (ZPA). Because it stands in the traffic path, its throughput capability the number of bits per second it can effectively forward while performing required security inspection or tunneling is a key capacity planning metric.
If the throughput of a Cloud Connector is insufficient for expected traffic volumes, users may see latency, bottlenecks or dropped connections. On the other hand, oversizing many instances unnecessarily increases cost. Therefore, getting the throughput sizing right supports costeffective and highperforming cloud security architecture.
Throughput Defined in This Context
Throughput in the case of Cloud Connector generally refers to the aggregate data rate (in Mbps or Gbps) that the connector can forward under normal operating conditions while supporting features such as encryption, tunnels, and inspection. It does not always equal raw network link capacity because some processing overhead is involved encryption/decryption, packet encapsulation, forwarding logic or additional inspection may reduce effective throughput. The actual throughput depends on VM size, number of vCPUs, memory, NIC speed, workload mix and how much inspection or tunnelling is applied. contentReference[oaicite3]
Typical Throughput Guidance for Zscaler Cloud Connector
Zscaler provides guidance around throughput and sizing of Cloud Connector deployments. While the exact number may differ depending on deployment architecture, inspection load and region configuration, some reference values are available.
Reference Values and Sizing Guidance
- In a reference architecture guide for AWS workloads, Zscaler indicates that a recommended instance type (for example c5 or m5 on AWS) supports around 400 Mbps unidirectional throughput under typical conditions. contentReference[oaicite4]
- In general documentation, Zscaler notes that throughput and connection capacity for Cloud Connector scale linearly with vertical sizing (more vCPUs/RAM) and horizontal scaling (multiple VMs). contentReference[oaicite5]
- In Zscaler community discussions about App Connector or Branch/Cloud Connectors, users frequently note limits per connector on the order of several hundred Mbps (e.g., ~500 Mbps) before scaling is required. contentReference[oaicite6]
From this guidance, an initial planning rule might be each Cloud Connector VM supports a few hundred Mbps reliably under inspection, and when you need gigabitscale or multiple gigabits throughput you deploy multiple connectors or scale up the VM size.
Horizontal vs. Vertical Scaling
There are two main approaches to increase throughput of Zscaler Cloud Connector
- Vertical scalingIncrease the size of the VM (more vCPUs, more memory, faster NIC). According to the reference guide, throughput and connection capacity scale linearly with this approach. contentReference[oaicite7]
- Horizontal scalingDeploy additional connector instances in the same region or across zones, and distribute traffic across them. Zscaler deployments increasingly incorporate autoscaling groups or VM scale sets (in Azure) to adjust the number of connectors dynamically based on CPU utilisation and traffic load. contentReference[oaicite8]
In practical design, many organisations combine both strategies choose a reasonable VM size, then deploy multiple instances with loadbalancing or internal routing to spread the traffic and ensure high availability.
Design Considerations for Throughput Planning
When sizing for throughput, multiple factors must be taken into account beyond just raw bandwidth. The following design considerations help ensure your Zscaler Cloud Connector deployment meets performance and reliability goals.
Traffic Profile and Inspection Load
How much inspection and tunnelling the connector must perform significantly affects throughput. For example
- Clear text forwarding (no SSL/TLS inspection) may yield higher throughput rates compared to full SSL inspection.
- Workloadtoworkload traffic that doesn’t require full security stack may consume less CPU per bit than internetbound traffic with URL filtering, DLP and threatprevention enabled.
- Highvolume file transfers, streaming, backups, or large object storage access may require the connector to handle many small or large flows which may reduce perbit performance.
Network Latency and Cloud Region Placement
Location of the connector relative to workloads and Zscaler service edges impacts performance. Ideally, a Cloud Connector should be deployed in the same cloud region (or at least nearby) as the workloads it supports, and chosen internet policy route to avoid unnecessary latency. High latency or shared congested links may reduce observed throughput.
High Availability and Redundancy
Throughput planning must include redundancy. For alwayson missioncritical workloads, deploying at least two connector instances per region (activeactive or activestandby) means each must support part of the load and avoid a single point of failure. If your total traffic is 2 Gbps, you might deploy four connectors each nominally sized for 500 Mbps, so that any one failure still leaves capacity. These resiliency factors influence how you plan throughput headroom.
Monitoring and RealTime Adjustment
Monitoring is essential. You should track metrics such as CPU utilisation, packet drops, tunnel latency and aggregate traffic rate per connector. When utilisation consistently goes above a defined threshold (for example 70 % CPU), you might need to scale out. Documentation indicates that automatic scaling (e.g., in Azure) based on CPU thresholds ensures you have enough connectors. contentReference[oaicite9]
Best Practices for Throughput Optimisation and Troubleshooting
Optimising throughput and avoiding bottlenecks requires both correct architecture and ongoing operational review. Here are some best practices
Set Realistic Bandwidth Targets
Begin with the site’s peak traffic requirements. For example, if your cloud workloads upload/download 1 Gbps at peak, plan connector capacity above that to allow headroom (e.g., 1.52 Gbps), and distribute across multiple connector instances.
Distribute Traffic Smartly
Don’t funnel all traffic through a single connector. Use internal loadbalancers or routing policies to spread traffic across multiple VMs, reducing perinstance bottlenecks and improving resilience.
Review Inspection Policies
Examine whether all traffic needs full inspection. Sometimes you can bypass inspection for trusted internal flows or reduce inspection levels for noncritical traffic, thereby reducing CPU and increasing throughput headroom.
Use AutoScaling and Alerts
Implement autoscaling based on utilisation thresholds so the environment adapts to load. Define alerts on CPU, packet drops or queue length. If you see connectors pegged with high CPU usage or dropped flows, you’ve hit a throughput bottleneck.
Maintain VM and Network Health
Ensure connector VMs have fast storage, correct NIC MTU settings, and aren’t constrained by throttled network interface or oversubscribed cloud host. Low MTU or misconfigured networking may reduce achievable throughput. Also ensure the cloud region chosen supports high network performance for your instance type.
Common Questions and Clarifications
Here are some frequent questions organisations ask when sizing for Zscaler Cloud Connector throughput.
What throughput can I expect per connector?
As a rough rule of thumb many comments and reference docs indicate 400500 Mbps per connector under typical load. For example, a Zscaler AWS guide recommends ~400 Mbps on typical instance types. contentReference[oaicite10] For heavier workloads or less inspection, you might achieve more; for heavy inspection you may need additional instances.
Can one connector handle multiple Gbps?
While vertical scaling will increase capacity somewhat, Zscaler advises horizontal scaling for true multiGbps forwarding, as throughput scales linearly with multiple instances rather than relying on a single large VM. contentReference[oaicite11]
Why is my throughput much lower than expected?
Many factors can reduce realworld throughput high SSL inspection overhead, small packet sizes, multiple tunnels, geographic latency, MTU issues or overloaded connector VM network interface. Monitoring and isolating GPU/CPU/network bottlenecks helps identify root cause. Community posts report situations where Cloud Connector throughput was unexpectedly limited. contentReference[oaicite12]
Throughput planning for Zscaler Cloud Connector is a vital component of a successful secure cloud deployment. Understanding the performance benchmark (often a few hundred Mbps per connector), the need for vertical and horizontal scaling, and the realworld factors that influence performance will help organisations deliver the secure, highperforming connectivity required for today’s hybrid and cloudnative workloads. By monitoring utilisation, implementing autoscaling, distributing traffic, and optimising inspection policies, you can ensure your Zscaler Cloud Connector deployment both safeguards your environment and supports the necessary data volumes. Ultimately, throughput is not just a number it’s a capacity planning and architecture discipline that determines whether your Zero Trust rollout is resilient, scalable and efficient.