Prisma Access Colo-Connect
Focus
Focus
Prisma Access

Prisma Access Colo-Connect

Table of Contents

Prisma Access Colo-Connect

Get private connectivity to hybrid cloud and on-premises data centers over Cloud Interconnects.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • A Prisma Access (Managed by Panorama) deployment running a minimum Cloud Services plugin version of 4.1 and a minimum dataplane version of 10.2.4
  • A Colo-Connect add-on license
Today, large enterprises are building Colo-based performance hubs to reach private applications in hybrid, multicloud architectures because of the high-bandwidth and low-latency requirements. Typically, these hubs include interconnects to one or more cloud providers and connections to the on-premises data centers over a private or leased WAN. Performance hubs can route traffic between the public cloud and on-premises infrastructure at high speed, and are resilient because of the underlying interconnect infrastructure.
Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth (up to 20 Gbps) private connections along with seamless Layer 2/3 connectivity to Prisma Access from existing performance hubs. The following figure shows Prisma Access being onboarded in a GCP instance using service connections and direct or partner interconnects. This setup limits exposure to the internet and allows the use of private connections for private application connectivity.
Prisma Access Colo-Connect leverages the cloud native GCP interconnect technology to provide high-bandwidth service connections to your private applications with the following capabilities:
  • High bandwidth (up to 20 Gbps) throughput per region for private application access
  • Support for both Dedicated and Partner interconnects using Google Cloud Platform (GCP)
  • Support for multiple VLAN attachments per interconnect link.
  • Regional redundancy

Colo-Connect Use Cases

Prisma Access Colo-Connect provides high-bandwidth bidirectional connectivity to secure private apps, as shown in the following use cases.

High-Bandwidth Access to Private Apps

If your organization has network presence in a Colo and you are leveraging Colo facilities to build private connectivity to the apps that are hosted on-premise, in the public cloud, or both, Prisma Access can become part of that Colo infrastructure via Colo-Connect. You can configure Colo-Connect with either a dedicated or partner interconnect provided by GCP to get up to 20 Gbps throughput per region for private app access.
For example, you have one or more data centers or headquarters locations that have direct connectivity to the Colo, and you want to connect to Prisma Access for high-bandwidth, secure private app access. In this case, you could use a partner interconnect with Prisma Access Colo-Connect to provide users secure access to the apps. Since the equipment in the Colo is peered to the public cloud as well as your data center, you could also provide access to any private apps that are hosted in the public cloud.
Colo-Connect coexists with the existing IPSec tunnel-based service connections, so if you have a need to provide private app access to smaller data centers that don’t require high-bandwidth, multi-gigabit throughput, you could also use service connections to those data centers. You can configure service connections using BGP routing to make your network compatible with service connections and Colo-Connect connections.

Private Connectivity for Private Applications

Colo-Connect can leverage a private network for users to access private apps instead of accessing them over the internet, adding an extra level of control and security for the private apps.

Using a Third-Party NaaS Provider

In this use case, you’re leveraging third-party Network as a Service (NaaS) providers such as Megaport and PacketFabric to connect between the Colo and your applications running in public clouds or with SaaS providers such as salesforce.com or Box. You want to establish network connectivity between the third-party networks and Prisma Access to provide high-bandwidth access to the connected services, clouds, and applications. You can:
  • Use networking equipment from a NaaS provider as a hub to provide connectivity between users and applications running in public cloud VPCs or public SaaS providers in a given region.
  • Establish BGP session between the NaaS provider’s networking equipment and Prisma Access.
Using third-party NaaS solutions with Prisma Access Colo-Connect has not been validated by Palo Alto Networks. You are advised to evaluate supported capabilities with the third-party provider, including setting up an interconnect to GCP and creating GRE tunnels to Prisma Access for the Colo-Connect service connections.

How is Colo-Connect Different from Service Connections and ZTNA Connector?

Palo Alto Networks offers three ways to secure access to private applications: service connections, ZTNA Connector, and Colo-Connect. Service connections and ZTNA Connector both secure access to private applications over the internet, while Colo-Connect establishes a private connection to your data center. See the table below for a comparison of bandwidth and differentiating factors.
Deployment Type
FunctionalityColo-ConnectZTNA ConnectorService Connections
Maximum bandwidth per compute region20 Gbps10 Gbps5 Gbps
Throughput20 Gbps bidirectional private connectivity to datacenterUp to 10 Gbps per datacenter1 Gbps per connection
Compatible with SDN/NaaS providers such as Equinix Cross-Connect and MegaportYesNoNo
Overlapped Networks Across the Data CentersNoYesNo
Other benefitsSimple onboarding into existing deployments that are hybrid and multi-cloud via ColoSimplified private application onboarding in hybrid and multicloud deploymentsSupports on-premises Active Directory
Requires On-Premises Deployment?NoYesNo

Colo-Connect Unsupported Features and Functionality

The following features and functionality are not supported with Colo-Connect: