Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect - ZTNA Architecture Start

Overview of the Zero Trust Network Access (ZTNA) architecture in Cisco Secure Connect.

ZTNA Architecture 

Edit section

clipboard_edb9d73cec5650cbc6e7f2a802c19a093.png

ZTNA is a turnkey-as-a-service solution. As shown in the diagram above, the customer environment will establish connectivity to Secure Connect fabric. The Edge traffic will be acquired by Secure Connect fabric via Service Edge. Service edge works as a proxy and connects to secure connect services as well as authentication services. The Secure Connect fabric can route traffic to the application as the interconnection establishes. 

The following are the high-level responsibilities of each block. 

Customer Edge  

  • The client initiates a browser connection to the application-specific URL 

  •  This request gets resolved and redirected to the nearest Datacenter based upon AnyCast DNS 

Service Edge  

  • The Datacenter knows which service to reach out to from the connection request 

  • Connects to the nearest Umbrella cloud where the service is running and proxies the traffic coming from the browser 

Fabric Services  

  • The ZTNA Proxy changes the traffic source to an address within 100.64.0.0/10  (CGNAT - carrier grade NAT range) 

  •  A request is sent for authentication and posture check 

  • Once authenticated and authorized, it will redirect the request to the policy engine, where the decision is made to let the request in or not based on your set policies 

  • Once decided, it will be sent to our routing engine to deliver traffic to the application correctly 

Customer Environment  

  • The user has secured access to the application