Get private connectivity to hybrid cloud and on-premises data centers over Cloud
Interconnects.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
A Prisma Access (Managed by Panorama) deployment running a minimum
Cloud Services plugin version of 4.1 and a minimum dataplane version of
10.2.4
A Colo-Connect add-on license
Today, large enterprises are building Colo-based performance hubs to reach private
applications in hybrid, multicloud architectures because of the high-bandwidth and
low-latency requirements. Typically, these hubs include interconnects to one or more
cloud providers and connections to the on-premises data centers over a private or leased
WAN. Performance hubs can route traffic between the public cloud and on-premises
infrastructure at high speed, and are resilient because of the underlying interconnect
infrastructure.
Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth
(up to 20 Gbps) private connections along with seamless Layer 2/3 connectivity to Prisma
Access from existing performance hubs. The following figure shows Prisma Access being
onboarded in a GCP instance using service connections and direct or partner
interconnects. This setup limits exposure to the internet and allows the use of private
connections for private application connectivity.
Prisma Access Colo-Connect leverages the cloud native GCP interconnect technology to
provide high-bandwidth service connections to your private applications with the
following capabilities:
High bandwidth (up to 20 Gbps) throughput per region for private
application access
Support for multiple VLAN attachments per interconnect link.
Regional redundancy
Colo-Connect Use Cases
Prisma Access Colo-Connect provides high-bandwidth bidirectional
connectivity to secure private apps, as shown in the following use cases.
High-Bandwidth Access to Private Apps
If your organization has network presence in a Colo and you are
leveraging Colo facilities to build private connectivity to the apps that are
hosted on-premise, in the public cloud, or both, Prisma Access can become part
of that Colo infrastructure via Colo-Connect. You can configure Colo-Connect
with either a dedicated or partner interconnect provided by GCP
to get up to 20 Gbps throughput per region for private app access.
For example, you have one or more data centers or headquarters locations that
have direct connectivity to the Colo, and you want to connect to Prisma Access
for high-bandwidth, secure private app access. In this case, you could use a
partner interconnect with Prisma Access Colo-Connect to provide users secure
access to the apps. Since the equipment in the Colo is peered to the public
cloud as well as your data center, you could also provide access to any private
apps that are hosted in the public cloud.
Colo-Connect coexists with the existing IPSec tunnel-based service connections,
so if you have a need to provide private app access to smaller data centers that
don’t require high-bandwidth, multi-gigabit throughput, you could also use
service connections to those data centers. You can configure service connections
using BGP routing to make your network compatible with service connections and
Colo-Connect connections.
Private Connectivity for Private Applications
Colo-Connect can leverage a private network for users to access private apps
instead of accessing them over the internet, adding an extra level of control
and security for the private apps.
Using a Third-Party NaaS Provider
In this use case, you’re leveraging third-party Network as a Service
(NaaS) providers such as Megaport and PacketFabric to connect between the Colo
and your applications running in public clouds or with SaaS providers such as
salesforce.com or Box. You want to establish network connectivity between the
third-party networks and Prisma Access to provide high-bandwidth access to the
connected services, clouds, and applications. You can:
Use networking equipment from a NaaS provider as a hub to
provide connectivity between users and applications running in public
cloud VPCs or public SaaS providers in a given region.
Establish BGP session between the NaaS provider’s networking
equipment and Prisma Access.
Using third-party NaaS solutions with Prisma Access Colo-Connect has not been
validated by Palo Alto Networks. You are advised to evaluate supported
capabilities with the third-party provider, including setting up an
interconnect to GCP and creating GRE tunnels to Prisma Access for the
Colo-Connect service connections.
How is Colo-Connect Different from Service Connections and ZTNA Connector?
Palo Alto Networks offers three ways to secure access to private applications: service connections, ZTNA Connector, and Colo-Connect. Service connections and
ZTNA Connector both secure access to private applications over the internet, while
Colo-Connect establishes a private connection to your data center. See the table
below for a comparison of bandwidth and differentiating factors.
