If there is a single active service connection in a site, Prisma Access selects the backup service connection in that site to route the traffic.

If there are multiple active service connections in a site, Prisma Access selects another of the active service connections to route the traffic, and the backup service connection is only used to route traffic when all active service connections go down.

Different Cloud Providers in the Same Geographical Region—If you are an organization (such as a bank) that requires your data to be accessed in a specific country, you can select a Preferred location from that country and an Alternate location from that same country. The following example shows an organization in the UK that onboards their service connections in the UK to follow data location regulations. In this case, the organization’s administrator onboards two service connections in UK, UK-Active in the UK location and UK-Backup in the UK PA-A location. The UK location is hosted by the preferred cloud provider (GCP) in the UK, and the UK PA-A location is hosted by the alternate cloud provider (AWS) in that country. The list of in-country locations shows the preferred and alternate cloud provider for a country. The administrator then creates a site and designates UK-Active as the active location and UK-Backup as the backup location in that site.

During normal operation, mobile users access internal resources at the HQ or data center using the UK-Active service connection.

If a GCP outage affects the UK-Active service connection, Prisma Access fails over to the UK-Backup service connection, which is hosted on AWS. In this way, Prisma Access allows mobile users access to the resources at the data center or HQ, even in the event of a cloud provider outage. The following diagram shows the traffic flow.

Different Geographical Regions—If you want to ensure redundancy in case of a regional outage, you can specify two or more service connections in different compute locations as well as different cloud providers, which provide you with backup access in the event of an outage in a geographical region. In the following diagram, the administrator has onboarded service connections from locations in the United States (US-Active in the US Southwest location and US-Backup in the US Northwest PA-A location) and created a site making US-Active the active service connection in the site and US-Backup the backup.

Since you have onboarded service connections that are in different compute locations as well as different cloud providers, you have configured a site that provides you with both geographical and cloud provider redundancy.

If the US-Active location goes down (either because of a cloud provider or regional outage), the service connection fails over to the US-Backup location, which uses a different cloud provider and compute location from the US-Active service connection, as shown in the following diagram.

High-Bandwidth Connection Using Multiple Service Connections—If you require a higher-bandwidth connection to your internal resources, you can create a site with multiple active connections. The following diagram shows four sites being onboarded, with a mix of GCP and AWS cloud providers being used:

In the site, three of the service connections are designated as active service connections, with a fourth service connection being designated as backup. Designating three service connections as active effectively gives you three times the bandwidth to your internal resources when compared to a single service connection.

If one of the active service connections goes down, the backup connection isn’t put into use; instead, Prisma Access diverts the traffic to the remaining active service connections that are up, as shown in the following diagram.

If all the active service connections go down, then the backup service connection is put into use and made the active connection.

You can add service connections using either Preferred or Alternate locations in a site.

Palo Alto Networks highly recommends that you use the preferred cloud provider as the active service connection in a site.

All service connections in a site must point to the same resource in the same HQ or data center location. You cannot have service connections in a site pointing to different resources in different locations.

You must select at least one active service connection in a site; however, you can also have multiple active service connections in a single site. The following site configuration is valid:

If you have multiple active service connections in a site and an active service connection goes down, traffic is diverted to the other active service connection (that is, the backup service connection is not utilized as long as one of the active service connections is up).

Use the following guidelines for static and dynamic service connection routing:

Prisma Access uses BGP Multi Exit Discriminator (MED) values to distinguish between active and backup service connections in a site as shown in the following table. Note that the MED values for active service connections change depending on whether or not you have enabled a secondary IPSec tunnel for the active service connection. Prisma Access advertises these MED values to the CPE (BGP peer).

Make a note of additional routing changes that happen for a backup service conneciton.

You can add multiple sites in a single Prisma Access deployment, as shown in the following diagram.

You can still use a single, standalone service connection to access internal resources. You an also mix standalone service connections with active and backup service connections, as shown in the following diagram.

Service Connection multi-cloud redundancy is not supported when using Hot Potato routing for service connections.

Don’t use CLI to onboard and configure service connections. If you require the use of CLI to onboard service connections, reach out to your Palo Alto Networks team.