Questions regarding WSS Agent sovereignty and connectivity to WSS cloud Data centers(DC)/Data pods(DP).
Web Security Service
WSS Agent is directed to the nearest DC by the Client Traffic Controller (CTC) based on the geo-location of the end user's public egress IP address. The WSS Agent initiates a connection over port 443 to CTC, which returns availability from up to three geographical data centers following compliance regulations such as GDPR. It tries to connect (create an OpenVPN tunnel) to the closest DC first and if that fails, for both UDP and TCP, it will move on to the second DC.
For example, users from any country in Europe will establish connections to DC available in the same country or nearest country location. If DC is not available in that county or if the connection fails, due to any reason, they will connect to another country's DC in the EU. However, WSS Agent will not connect to any region outside the EU regardless of connection availability. WSS Agent strictly follows compliance regulations.
The following article provides more information about WSS Agent connectivity.