Learn about the requirements you need for Clean Pipe
deployments.
Before you start, be aware of the following Clean Pipe
deployment requirements, and be aware of the following differences
between Prisma Access for Clean Pipe and other Prisma Access deployments:
You must have a Prisma Access for Clean Pipe license.
The
Prisma Access for Clean Pipe license is a separate license from
other Prisma Access products. However, the same requirements for
purchasing and installing Panorama and Strata Logging Service licenses
apply to Clean Pipe.
Prisma Access for Clean Pipe has the following GCP Partner
Interconnect requirements:
You must be able to create
a Partner Interconnect in GCP.
You must have the ability to create VLAN attachments in GCP.
For Layer 2 (L2) partner interconnects, you must have access
to the customer edge (CE) router on the MSSP side and be able to
make configuration changes to it.
For more information
about GCP configuration, refer to the GCP documentation.
Be aware of the minimum bandwidth requirements for the Clean
Pipe deployment.
The minimum license you can purchase is 1000
Mbps. The minimum bandwidth allocation for each Clean Pipe tenant
is 100 Mbps.
After you create a tenant, you can create clean
pipes in that tenant. Each clean pipe must be a minimum of 100 Mbps.
Each Clean Pipe shares the tenant’s access domains, templates, template
stack, and device group.
If configuring multiple Clean Pipes for a single tenant,
each Clean Pipe is required to be a unique location. If you want
to configure two VLAN attachments for a single Clean Pipe location
in an active/backup configuration for intra-zone redundancy, specify
the REDUNDANT choice when you add a new Clean
Pipe instance.
When creating a connection within a Clean Pipe tenant, match
the bandwidth allocation to that of the VLAN attachment. Do not
create a VLAN attachment that has a bandwidth that is higher or
lower than the connection's bandwidth.
After you enable multitenancy, do not configure your Clean
Pipe deployment with any of the other tabs in the Configuration
area, with the exception of the Generate API key link
in the Service Setup tab, which lets you
generate an API key to retrieve Clean Pipe IP addresses. All configuration
is unique to Prisma Access for Clean Pipe and separate from other
Prisma Access deployments, such as Prisma Access for Networks or
Prisma Access for Users.
Do not make changes to a Clean Pipe configuration after you
commit it. If you change a Clean Pipe after it’s been committed,
you will receive a commit error when you re-commit it. Instead,
delete the existing Clean Pipe and add a new one. Schedule this
change during a system downtime window. If you already made changes
and have not yet committed, you can revert the changes by editing
the Clean Pipe configuration back to their previous values.
Note that the locations used by Clean Pipe differ from other
Prisma Access deployments. Prisma Access for Clean Pipe supports
the following locations:
asia-east1
asia-east2
asia-northeast1
asia-south1
asia-southeast1
australia-southeast1
europe-north1
europe-west2
europe-west3
europe-west4
northamerica-northeast1
southamerica-east1
us-central1
us-east1
us-east4
us-west1
us-west2
Note the following networking restrictions for Clean Pipe:
QoS for Clean Pipe is supported on ingress (from internet to
Clean Pipe direction) only.
User-ID is not supported.
Clean Pipe supports session affinity based on source and
destination IP addresses and is not configurable.
Trust-to-Trust policies are invalid for Clean Pipe, because
the traffic is always internet-bound. Only use Trust-to-Untrust
policies.
