Each interface can be assigned to a single security zone. You then apply your security policy based on security zone. For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. You could then configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside, for example.
Each zone has a mode, either routed or passive. This correlates directly to the interface mode. You can add routed and passive interfaces only to the same security zone mode.
Bridge Virtual Interfaces (BVIs) are not added to security zones. Only member interfaces are added to security zones.
You do not include the Diagnostic or Management interface in a zone. Zones apply to data interfaces only.
CDO does not currently support the management, monitoring, or use of Virtual Tunnel Interface (VTI) tunnels on ASA or FTD devices. Devices with configured VTI tunnels can be onboarded to CDO but it ignores VTI interfaces. If a security zone or static route references a VTI, CDO reads the security zone and static route without the VTI reference. CDO support for VTI tunnels is coming soon.
See Security Zone Object for more information about security zones.