Secure Workload-to-Workload Communication

Enable secure connections between applications, workloads and services without relying on static controls.

Protect Hybrid and Multi-Cloud Resources

Modern IT environments are highly distributed, with applications, databases, and microservices communicating across hybrid and multi-cloud infrastructures. Traditional network security exposes resources or relies on static rules, leaving them vulnerable to lateral movement, misconfigurations, and exploitation. AppGate ZTNA secures resource-to-resource communication by cloaking workloads and enforcing least-privilege, identity-centric policies at the workload level. Each connection is dynamically authorized, ensuring only trusted resources can communicate—and only with the services they are entitled to access.

  • Cloaked Workloads: Applications, databases and services are hidden from discovery or unauthorized access.
  • Identity-Centric Access: Policies are applied not just to users, but also to workloads, APIs and service accounts.
  • Segment of One: Each resource is isolated to its own secure segment, limiting exposure and lateral movement.
  • Dynamic Policy Enforcement: Access between resources adapts automatically to context and posture, even across hybrid environments. 
Reduce network complexity image

How it Works

AppGate ZTNA secures communications between resources by routing traffic through trusted connectors, enforcing entitlements, and cloaking resources until authorized.

Traffic Routing

Local resources send traffic destined for protected resources through a connector. The connector routes this traffic based on the resource group configuration.

Dynamic Tunneling

Traffic is split into required tunnels based on entitlements. This ensures that only authorized traffic is allowed through, using either the clients' tun IP address or the local resource's IP address, depending on the NAT settings.

Secure Processing

A secure process on a gateway handles the traffic from each client, ensuring efficient and secure routing without exposing the network to unnecessary risks.

Firewall Enforcement

Traffic is firewalled according to entitlement actions, ensuring that only permitted interactions occur between resources.

Resource Cloaking

Resources are cloaked from discovery until they are authenticated and authorized, preventing unauthorized access and reducing exposure to potential threats.

Implementation Steps

AppGate ZTNA makes it easy to secure workload communications by configuring connectors, defining entitlements, and enabling the continuous monitoring of interactions across resources.

1 Configure Clients/Connectors

Set up headless clients or connectors to route traffic between local and protected resources, including workloads running in Kubernetes (K8s) clusters.

2 Define Resource Groups and Entitlements

Create resource groups and customize entitlements to specify access rules for resource interactions. 

3 Set Up Network Address Translation (NAT) Settings

Configure source NAT or Destination NAT to ensure proper routing of return traffic between resources. 

4 Deploy and Configure Gateways

Ensure all headless clients and connectors connect to all gateways on the site for secure traffic handling.

5 Monitor and Adjust

Use monitoring tools to track resource interactions and adjust entitlements to maintain security and compliance. 

Benefits and Outcomes

Implementing AppGate ZTNA for resource-to-resource access strengthens security and resilience across distributed environments while simplifying policy management.

  • Prevents unauthorized inter-service access by tightly controlling how workloads and resources communicate.
  • Protects sensitive applications, APIs and databases from unauthorized discovery and exploitation.
  • Enhances compliance by enforcing identity-based controls across hybrid and multi-cloud infrastructures.
  • Improves operational agility with dynamic, context-aware policies that adapt as resources scale or shift. 
Screeshot popout image

Live learning series and Q&A: ZTNA Table Talks

Get firsthand insights from our network security experts on the advantages of direct-routed ZTNA built for intricate hybrid IT environments. Each month features a different topic and live demo on how to strengthen security, control how data traverses your network, cut costs, and boost operational efficiencies.

Register Now
ZTNA Table Talks

Free ZTNA Trial

Want to test the power of AppGate ZTNA for yourself? Sign up for a 30-day trial. No fees, contracts or commitments. Still not sure? Contact us and one of our ZTNA experts will get in touch with you directly to answer your request.

Start Now Contact Us