Prisma Access Colo-Connect
Focus
Focus

Prisma Access

Prisma Access Colo-Connect

Table of Contents

Prisma Access Colo-Connect

Get private connectivity to hybrid cloud and on-premises data centers over Cloud Interconnects.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Panorama Managed)
  • A Panorama Managed Prisma Access deployment running a minimum Cloud Services plugin version of 4.1 and a minimum dataplane version of 10.2.4
  • A Colo-Connect add-on license
Today, large enterprises are building Colo-based performance hubs to reach private applications in hybrid, multicloud architectures because of the high-bandwidth and low-latency requirements. Typically, these hubs include interconnects to one or more cloud providers and connections to the on-premises data centers over a private or leased WAN. Performance hubs can route traffic between the public cloud and on-premises infrastructure at high speed, and are resilient because of the underlying interconnect infrastructure.
Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth (up to 20 Gbps) private connections along with seamless Layer 2/3 connectivity to Prisma Access from existing performance hubs. The following figure shows Prisma Access being onboarded in a GCP instance using service connections and direct or partner interconnects. This setup limits exposure to the internet and allows the use of private connections for private application connectivity.
Prisma Access Colo-Connect leverages the cloud native GCP interconnect technology to provide high-bandwidth service connections to your private applications with the following capabilities:
  • High bandwidth (up to 20 Gbps) throughput per region for private application access
  • Support for both
    Dedicated and Partner interconnects
    using Google Cloud Platform (GCP)
  • Support for multiple VLAN attachments per interconnect link.
  • Regional redundancy

Colo-Connect Components

Prisma Access Colo-Connect consists of the following components:
  • Colo
    —The colocation facility that provides rack-space, power and connectivity to host networking, private and public cloud infrastructure, such as Equinix.
  • Dedicated Interconnect
    —The dedicated Layer 2 or Layer 3 physical connection between your router and a GCP edge router in a given GCP compute region. A dedicated Interconnect provides a direct physical connection between your on-premises network and the Google network.
    Interconnects are called
    Links
    in the Prisma Access UI.
  • GCP VLAN Attachment
    —The logical Layer 2 connection over the link that separates traffic from any other logical connections sharing the same link.
    VLAN attachments are called
    Connections
    in the Prisma Access UI.
  • Partner Interconnect
    —The Layer 3 physical connection between a service provider owned router and a GCP edge router in a given GCP compute region. A partner Interconnect provides connectivity between your on-premises and VPC networks through a supported service provider.
    Colo-Connect supports both Dedicated and Partner interconnects.
  • Colo (Customer) Router
    —The routing device in the Colo facility that establishes eBGP with the GCP cloud router over the interconnect in the Colo facility, as well as eBGP with Colo-Connect service connection over the GRE tunnel. It is a customer router for a dedicated interconnect, or if the service provider has Layer 2 connectivity with GCP over the partner interconnect. The service provider owns the Colo router when it has Layer 3 connectivity with the GCP cloud-router.
  • GCP Edge Router
    —GCP's network edge equipment to provide physical connectivity between GCP and the customer/partner network via the Colo.
  • Cloud Router
    —The GCP software construct in the cloud that establishes BGP sessions with the networking device (for example, router or Layer 3 firewall) in the Colo and routes traffic between Prisma Access and your network. You are not required to configure this component; it is automatically done by Prisma Access.

Colo-Connect Use Cases

Prisma Access Colo-Connect provides high-bandwidth bidirectional connectivity to secure private apps, as shown in the following use cases.

High-Bandwidth Access to Private Apps

If your organization has network presence in a Colo and you are leveraging Colo facilities to build private connectivity to the apps that are hosted on-premise, in the public cloud, or both, Prisma Access can become part of that Colo infrastructure via Colo-Connect. You can configure Colo-Connect with either a dedicated or partner interconnect provided by GCP to get up to 20 Gbps throughput per region for private app access.
For example, you have one or more data centers or headquarters locations that have direct connectivity to the Colo, and you want to connect to Prisma Access for high-bandwidth, secure private app access. In this case, you could use a partner interconnect with Prisma Access Colo-Connect to provide users secure access to the apps. Since the equipment in the Colo is peered to the public cloud as well as your data center, you could also provide access to any private apps that are hosted in the public cloud.
Colo-Connect coexists with the existing IPSec tunnel-based service connections, so if you have a need to provide private app access to smaller data centers that don’t require high-bandwidth, multi-gigabit throughput, you could also use service connections to those data centers. You can configure service connections using BGP routing to make your network compatible with service connections and Colo-Connect connections.

Private Connectivity for Private Applications

Colo-Connect can leverage a private network for users to access private apps instead of accessing them over the internet, adding an extra level of control and security for the private apps.

Using a Third-Party NaaS Provider

In this use case, you’re leveraging third-party Network as a Service (NaaS) providers such as Megaport and PacketFabric to connect between the Colo and your applications running in public clouds or with SaaS providers such as salesforce.com or Box. You want to establish network connectivity between the third-party networks and Prisma Access to provide high-bandwidth access to the connected services, clouds, and applications. You can:
  • Use networking equipment from a NaaS provider as a hub to provide connectivity between users and applications running in public cloud VPCs or public SaaS providers in a given region.
  • Establish BGP session between the NaaS provider’s networking equipment and Prisma Access.
Using third-party NaaS solutions with Prisma Access Colo-Connect has not been validated by Palo Alto Networks. You are advised to evaluate supported capabilities with the third-party provider, including setting up an interconnect to GCP and creating GRE tunnels to Prisma Access for the Colo-Connect service connections.

How is Colo-Connect Different from Service Connections and ZTNA Connector?

Palo Alto Networks offers three ways to secure access to private applications: service connections, ZTNA Connector, and Colo-Connect. Service connections and ZTNA Connector both secure access to private applications over the internet, while Colo-Connect establishes a private connection to your data center. See the table below for a comparison of bandwidth and differentiating factors.
Deployment Type
Functionality
Colo-Connect
Maximum bandwidth per compute region
20 Gbps
10 Gbps
5 Gbps
Throughput
20 Gbps bidirectional private connectivity to datacenter
Up to 10 Gbps per datacenter
1 Gbps per connection
Compatible with SDN/NaaS providers such as Equinix Cross-Connect and Megaport
Yes
No
No
Overlapped Networks Across the Data Centers
No
Yes
No
Other benefits
Simple onboarding into existing deployments that are hybrid and multi-cloud via Colo
Simplified private application onboarding in hybrid and multicloud deployments
Supports on-premises Active Directory
Requires On-Premises Deployment?
No
Yes
No

Colo-Connect Unsupported Features and Functionality

The following features and functionality are not supported with Colo-Connect:

Recommended For You