Where Can I Use
This? | What Do I Need? |
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
|
A Prisma Access (Managed by Panorama) deployment running a
minimum Cloud Services plugin version of 4.1 and a minimum
dataplane version
of 10.2.4 A Colo-Connect add-on license
|
Before you start Colo-Connect onboarding and configuration, be aware of the
required information and prerequisites by following this checklist.
Make sure that you have access to the Colo facility provider (for example, you
have access to the Equinix Customer Portal).
Make sure that your CPE can support GRE and BGP.
Colo-Connect service
connections use GRE tunnels.
Decide which interconnect type you will use for Colo-Connect (a
partner or
dedicated interconnect).
Partner Interconnect
—A pairing key from
Prisma Access
is required
for partner interconnects. You receive this key during
Prisma Access
onboarding.
If you create a partner interconnect, make sure that the
service provider (SP) is an
approved SP with GCP and
the connectivity between the SP and GCP is already established.
Be familiar with the basic network
interconnections
so that you can configure the circuits.
After you provision the dedicated interconnect, you must
test it.
Subnet Requirements
—Determine the RFC-1918 IPv4 subnets you will use
for each Colo-Connect connection per region.
Prisma Access
uses these
subnets for internal communication and networking.
Make the subnets unique among all Colo-Connect regions in a given tenant. The
Colo-Connect subnet can't overlap with the
Prisma Access
infra subnet and
mobile users pool. Use a minimum subnet size of /28.
Link (Interconnect) Requirements
—Follow these guidelines when configuring
links:
Each Colo-Connect add-on license includes one link of 10 Gbps capacity.
You need a minimum of two links, which means you need to purchase a
minimum of two licenses in a Colo-Connect deployment.
Onboard two links in each region.
Both of these links should be in
different availability zones (edge domains).
(
Dedicated interconnect deployments only
) If you want to
onboard more than six links in a tenant, reach out to your Palo Alto
Networks account representative or partner, who will contact the Site
Reliability Engineering (SRE) team and submit a request to increase the
quota for a given tenant.
Connection Requirements
—
Onboard two connections in each region.
Both connections should be in
different edge domains.
Connections in active/backup or
active/active mode must be the same bandwidth.
Decide whether you want to set up your connections in an active/active
or active/backup configuration.
Colo-Connect Service Connection Requirements
—
Each service connection requires two connections.
Each connection for a given service connection must be on a different
link and a different edge domain.
Make a note of the addresses that you will use as the BGP IP address
with colo-router and the GRE tunnel local IP addresses. You use these
addresses during service connection creation.
Service connections must be on the same link type (either Partner
Interconnect links or Dedicated Interconnect links).
Interoperability with existing IPSec-Based Service Connections
—Palo Alto
Networks strongly recommends that you deploy Colo-Connect and IPSec tunnel-based
service connections in different regions. In addition, if you're migrating from
an IPSec tunnel-based service connection to a Colo-Connect service connection,
you must schedule a maintenance window. After you have migrated from an IPSec
tunnel-based service connection to a Colo-Connect service connection, remove the
IPSec-based service connection after the Colo-Connect service connection is up
and running and before the maintenance window expires.