Partner Interconnect—A pairing key from Prisma Access is required
for partner interconnects. You receive this key during Prisma Access
onboarding.
If you create a partner interconnect, make sure that the
service provider (SP) is an approved SP with GCP and
the connectivity between the SP and GCP is already established.
Dedicated Interconnect—
Determine the location of the Colo
where the cross-connect cable will be connected before you begin
onboarding in Prisma Access. The Colo location is required for
Palo Alto Networks to order the dedicated
link
Be familiar with the basic network interconnections
so that you can configure the circuits.
After you provision the dedicated interconnect, you must
test it.
Subnet Requirements—Determine the RFC-1918 IPv4 subnets you will use
for each Colo-Connect connection per region. Prisma Access uses these
subnets for internal communication and networking.
Make the subnets unique among all Colo-Connect regions in a given tenant. The
Colo-Connect subnet can't overlap with the Prisma Access infra subnet and
mobile users pool. Use a minimum subnet size of /28.
Link (Interconnect) Requirements—Follow these guidelines when configuring
links:
Each Colo-Connect add-on license includes one link of 10 Gbps capacity.
You need a minimum of two links, which means you need to purchase a
minimum of two licenses in a Colo-Connect deployment.
Onboard two links in each region.
Both of these links should be in
different availability zones (edge domains).
(Dedicated interconnect deployments only) If you want to
onboard more than six links in a tenant, reach out to your Palo Alto
Networks account representative or partner, who will contact the Site
Reliability Engineering (SRE) team and submit a request to increase the
quota for a given tenant.
Connection Requirements—
Onboard two connections in each region.
Both connections should be in
different edge domains.
Connections in active/backup or
active/active mode must be the same bandwidth.
Decide whether you want to set up your connections in an active/active
or active/backup configuration.
Colo-Connect Service Connection Requirements—
Each service connection requires two connections.
Each connection for a given service connection must be on a different
link and a different edge domain.
Make a note of the addresses that you will use as the BGP IP address
with colo-router and the GRE tunnel local IP addresses. You use these
addresses during service connection creation.
Service connections must be on the same link type (either Partner
Interconnect links or Dedicated Interconnect links).
Interoperability with existing IPSec-Based Service Connections—Palo Alto
Networks strongly recommends that you deploy Colo-Connect and IPSec tunnel-based
service connections in different regions. In addition, if you're migrating from
an IPSec tunnel-based service connection to a Colo-Connect service connection,
you must schedule a maintenance window. After you have migrated from an IPSec
tunnel-based service connection to a Colo-Connect service connection, remove the
IPSec-based service connection after the Colo-Connect service connection is up
and running and before the maintenance window expires.