Zscaler MCP Server

Zscaler MCP Server makes it simple to integrate natural language into API calls for configuration, monitoring, and automation. By unifying how teams access and manage services, MCP Server reduces complexity, improves security, and accelerates innovation, helping enterprises streamline operations at scale.

0 AWS reviews

View purchase options

Overview

Zscaler MCP Server enables organizations to achieve:

Streamlined operations through natural language that empower teams to configure, monitor, and manage services more intuitively. Everyday requests are translated into API SDK calls, reducing complexity, minimizing human error, and improving efficiency.

Unified and secure access to APIs by providing a consistent, governed interface for interacting with services. This ensures least-privileged use of API calls, eliminates fragmented tools, and enforces strong governance across environments.

Accelerated innovation and automation at scale through rapid integration of new workflows and pipelines. MCP Server shortens time-to-value, simplifies orchestration, and helps enterprises scale automation with confidence.

Broad applicability across IT and DevOps, from configuration and monitoring to orchestration. MCP Server supports the full Zscaler portfolio - including Zscaler Internet Access, Zscaler Private Access, Zscaler Digital Experience, Zscaler Cloud and Branch Connector, Zscaler Client Connector, and Zscaler ZIdentity. MCP Server is offered as a bring-your-own-license (BYOL) solution, requiring existing entitlements to Zscaler services.

Highlights

Simplify complex operations - Translate natural language into API calls, making configuration, monitoring, and troubleshooting faster and more intuitive for admins and developers.
Unify and secure API access - Provide a single, consistent way to interact with your services, reducing complexity while maintaining strong security and governance.
Enable faster innovation at scale - Accelerate integration of new workflows and automation pipelines, reducing time-to-value and supporting enterprise-wide agility.

Details

Sold by

Zscaler, Inc.

Unlock automation with AI agent solutions

Fast-track AI initiatives with agents, tools, and solutions from AWS Partners.

Explore AI agent solutions

Features and programs

Financing for AWS Marketplace purchases

AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.

View financing details

Pricing

Zscaler MCP Server

Info

View purchase options

This product is available free of charge. Free subscriptions have no end date and may be canceled any time.

Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.

Vendor refund policy

https://www.zscaler.com/legal/zscaler-refund-policy

How can we make this page better?

We'd like to hear your feedback and ideas on how to improve this page.

Legal

Vendor terms and conditions

Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

Content disclaimer

Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

Usage information

Info

Delivery details

Amazon Bedrock AgentCore

Supported services: Learn more

Amazon Bedrock AgentCore - Preview

Container image

Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.

Version release notes

Initial release of Zscaler MCP Server for AWS AgentCore

Additional details

Usage instructions

Amazon Bedrock AgentCore Deployment (Zscaler MCP Server)

Prerequisites

AgentCore enabled in your AWS account.
Active subscription to ZIA or ZPA.
Outbound HTTPS to Zscaler APIs. AgentCore provides this by default; optionally attach to a VPC so egress can be inspected/secured.
Zscaler OneAPI credentials set as environment variables during hosting. Generate in ZIdentity as outlined in the README:
https://github.com/zscaler/zscaler-mcp-server?tab=readme-ov-file#zscaler-api-credentials--authentication
- ZSCALER_CLIENT_ID
- ZSCALER_CLIENT_SECRET
- ZSCALER_VANITY_DOMAIN
- ZSCALER_CUSTOMER_ID (required for ZPA)
- ZSCALER_CLOUD (optional; set to beta only when using the Beta Tenant)
Legacy API auth is also supported. See full guide (linked at the bottom) for variables and usage.

Step 1 - Create the IAM execution role (Console)

IAM -> Roles -> Create role.
Attach a custom policy or equivalent managed policies with these permissions:

Amazon ECR (image pull):
ecr:BatchGetImage, ecr:GetDownloadUrlForLayer, ecr:GetAuthorizationToken
Alternative: AmazonEC2ContainerRegistryReadOnly managed policy.
CloudWatch Logs (write):
logs:DescribeLogStreams, logs:CreateLogGroup, logs:DescribeLogGroups, logs:CreateLogStream, logs:PutLogEvents
Alternative: CloudWatchFullAccess (or a scoped equivalent).
AWS X-Ray (telemetry):
xray:PutTraceSegments, xray:PutTelemetryRecords, xray:GetSamplingRules, xray:GetSamplingTargets
Alternative: AWSXRayDaemonWriteAccess.
CloudWatch metrics:
cloudwatch:PutMetricData (optionally restrict namespace to bedrock-agentcore).
AgentCore access tokens:
bedrock-agentcore:GetWorkloadAccessToken (optionally scope to your default workload identity directory and the identities for this agent).
Bedrock model invocation:
bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream (optionally scope to required foundation models and your resources).

Trust relationship: service principal bedrock-agentcore.amazonaws.com.
(Optionally add conditions restricting aws:SourceAccount to your account ID and aws:SourceArn to your AgentCore ARNs.)
Save and copy the Role ARN (you will provide this when hosting the agent).

Step 2 - Host the Agent (Console)

Open Amazon Bedrock AgentCore -> Agent Runtimes -> Host Agent.
Enter a Name (e.g., zscaler-mcp) and Description.
Container image URI: paste the exact URI+tag shown on this Marketplace version (example):
709825985650.dkr.ecr.us-east-1.amazonaws.com/zscaler/zscaler-mcp-server:0.2.1-bedrock
Do not use latest.
Execution role: select the role created in Step 1.
Protocol: MCP.
Inbound identity: choose IAM (typical) or JWT if your environment requires JWT pass-through.
Environment variables (add each key/value):
ZSCALER_CLIENT_ID, ZSCALER_CLIENT_SECRET, ZSCALER_VANITY_DOMAIN, ZSCALER_CUSTOMER_ID (if ZPA), ZSCALER_CLOUD (optional).
Click Host Agent and wait for Status: Active.

Step 3 - Verify

Confirm the runtime is Active.
Check CloudWatch Logs under /aws/bedrock-agentcore/runtimes/... for initialization and invocation details.
From the AgentCore sandbox, invoke a simple call payload such as:
- List tools {"jsonrpc":"2.0","id":1,"method":"tools/list","params":{"_meta":{"progressToken":1}}}
- List DLP Dictionaries {"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"zia_dlp_dictionaries","arguments":{}}}

See the full guide for examples and troubleshooting tips.

Full documentation: Zscaler MCP Server - Amazon Bedrock AgentCore Guide
https://zscaler-mcp-server.readthedocs.io/en/latest/guides/amazon-bedrock-agentcore.html

Support

Vendor support

Yes

Zscaler global support is available around the clock, with dedicated customer support engineers providing personalized assistance to ensure that customers are getting the most value from our products. Our support engineers have significant experience in networking and security, working closely with operations, sales, and engineering teams to ensure rapid response and resolution.

AWS infrastructure support

AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Get support

Similar products

Zscaler Private Access Connector

By Zscaler, Inc.

ZPA Connectors provide the secure authenticated interface between a customer's servers and the Zscaler Private Access cloud. App Connectors can be deployed in several forms. Zscaler distributes a standard virtual machine (VM) image for deployment in enterprise data centers, local private cloud environments such as VMware, or public cloud environments such as Amazon Web Services (AWS) EC2. Additionally, Zscaler provides packages that can be installed on supported Linux distributions. Connectors can be co-located with your enterprise applications, or they can be deployed in any location that has connectivity to the applications. Typically, they are deployed on network segments that can access secured applications and the ZPA cloud simultaneously, such as in a DMZ. Connectors only connect outbound; they do not need any inbound open ports to operate correctly.

View product

Zscaler NSS (ZSOS42) AMI

By Zscaler, Inc.

Zscaler's ZIA Nanolog Streaming Service (NSS) VM for AWS

View product

Zscaler Private Access Service Edge

By Zscaler, Inc.

The ZPA Private Service Edges are brokers that are a single-tenant instance that provide the functionality of a ZPA Public Service Edge in an organization's environment. Your organization hosts them either within your site or on a cloud service, but Zscaler manages them. On the other hand, ZPA Public Service Edges are deployed in Zscaler data centers around the world. As with a ZPA Public Service Edge, a ZPA Private Service Edge manages the connections between Zscaler Client Connector and App Connectors. It registers with the ZPA Cloud. This allows a ZPA Private Service Edge to download the relevant policies and configurations so it can enforce all ZPA policies. It also caches path selection decisions. ZPA Private Service Edges can be deployed in several forms. Zscaler distributes images for deployment in enterprise data centers and local private cloud environments such as VMware.

View product

Zscaler Cloud Connector

By Zscaler, Inc.

Enabled by the Zscaler Zero Trust Exchange (ZTE), Zscaler Cloud Connector is a virtual machine (VM) that simplifies traffic forwarding to Zscaler services. It extends the capabilities of Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) to cloud-native workloads, which allows enterprises to secure cloud workload communications over any network. The ZTE enables workloads to communicate with each other and have a granular security policy applied. The communication may be from private workloads (i.e., IaaS, physical data center) to public workloads (i.e., SaaS/internet), or between private workloads (i.e., IaaS to IaaS, IaaS to physical data center).

View product

Zscaler Incident Receiver

By Zscaler, Inc.

The Zscaler Incident Receiver is a tool to securely receive DLP policy violation details via ICAP. It can run on an AWS EC2 instance, an Azure VM, or on-premises to integrate seamlessly with Zscaler services.

View product

Customer reviews

Leave a review

Ratings and reviews

Info

0 ratings

5 star

4 star

3 star

2 star

1 star

0 AWS reviews

No customer reviews yet

Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.