Service Connection Overview

Use service connections to connect users to the resources they need in your data center or HQ locations (for example, provide users access to a RADIUS or Active Directory authentication server).
Even if you don’t require access to resources at your HQ or data center sites, you should create a service connection to allow communication between mobile users and remote networks. See Create a Service Connection to Enable Access between Mobile Users and Remote Networks for details.
You can set up service connections to up to 100 of your headquarters and/or data center sites. The first three service connections are included with no license cost; each connection after the third uses 300 Mbps from your licensed remote network bandwidth pool. GlobalProtect cloud service does not limit the bandwidth over these connections.
If you configure GlobalProtect cloud service to manage multiple tenants, the maximum number of licensed service connections does not increase; you can still configure a maximum of three service connections per license, and each additional service connection uses 300 Mbps from your licensed bandwidth pool.
In order for the GlobalProtect cloud service to route users to the resources they need, you must provide the routes to the resources. You can do this in one or more of the following ways:
  • Define a static route to each subnetwork or specific resource that you want your users to be able to access.
  • Configure BGP between your service connection locations and the GlobalProtect cloud service.
  • Use a combination of both methods.
    If you configure both static routes and enable BGP, the static routes will take precedence. While it might be convenient to use static routes if you have just a few subnetworks or resources you want to allow access to, in a large data center/HQ environment where you have routes that change dynamically, BGP will enable you to scale easier. Dynamic routing also provides redundancy for your service connections. If one service connection tunnel is down, BGP can dynamically route mobile user and remote network traffic over the operational service connection tunnel.

Related Documentation