Get private connectivity to hybrid cloud and on-premises data centers over Cloud
Interconnects.
Where Can I Use This?
What Do I Need?
Prisma Access
(Panorama Managed)
A Panorama Managed Prisma Access deployment running a minimum
Cloud Services plugin version of 4.1 and a minimum dataplane version of
10.2.4
A Colo-Connect add-on license
Today, large enterprises are building Colo-based performance hubs to reach private
applications in hybrid, multicloud architectures because of the high-bandwidth and
low-latency requirements. Typically, these hubs include interconnects to one or more
cloud providers and connections to the on-premises data centers over a private or leased
WAN. Performance hubs can route traffic between the public cloud and on-premises
infrastructure at high speed, and are resilient because of the underlying interconnect
infrastructure.
Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth
(up to 20 Gbps) private connections along with seamless Layer 2/3 connectivity to Prisma
Access from existing performance hubs. The following figure shows Prisma Access being
onboarded in a GCP instance using service connections and direct or partner
interconnects. This setup limits exposure to the internet and allows the use of private
connections for private application connectivity.
Prisma Access Colo-Connect leverages the cloud native GCP interconnect technology to
provide high-bandwidth service connections to your private applications with the
following capabilities:
High bandwidth (up to 20 Gbps) throughput per region for private
application access
Support for multiple VLAN attachments per interconnect link.
Regional redundancy
Colo-Connect Components
Prisma Access Colo-Connect consists of the following components:
Colo
—The colocation facility that provides rack-space, power
and connectivity to host networking, private and public cloud
infrastructure, such as Equinix.
Dedicated Interconnect
—The dedicated Layer 2 or Layer 3
physical connection between your router and a GCP edge router in a given GCP
compute region. A dedicated Interconnect provides a direct physical
connection between your on-premises network and the Google network.
Interconnects are called
Links
in the Prisma Access UI.
GCP VLAN Attachment
—The logical Layer 2 connection over the
link that separates traffic from any other logical connections sharing the
same link.
VLAN attachments are called
Connections
in the Prisma Access UI.
Partner Interconnect
—The Layer 3 physical connection between
a service provider owned router and a GCP edge router in a given GCP compute
region. A partner Interconnect provides connectivity between your
on-premises and VPC networks through a supported service provider.
Colo-Connect supports both Dedicated and Partner interconnects.
Colo (Customer) Router
—The routing device in the Colo facility that
establishes eBGP with the GCP cloud router over the interconnect in the Colo
facility, as well as eBGP with Colo-Connect service connection over the GRE
tunnel. It is a customer router for a dedicated interconnect, or if the service
provider has Layer 2 connectivity with GCP over the partner interconnect. The
service provider owns the Colo router when it has Layer 3 connectivity with the
GCP cloud-router.
GCP Edge Router
—GCP's network edge equipment to provide physical
connectivity between GCP and the customer/partner network via the Colo.
Cloud Router
—The GCP software construct in the cloud that
establishes BGP sessions with the networking device (for example, router or
Layer 3 firewall) in the Colo and routes traffic between Prisma Access and
your network. You are not required to configure this component; it is
automatically done by Prisma Access.
Colo-Connect Use Cases
Prisma Access Colo-Connect provides high-bandwidth bidirectional
connectivity to secure private apps, as shown in the following use cases.
High-Bandwidth Access to Private Apps
If your organization has network presence in a Colo and you are
leveraging Colo facilities to build private connectivity to the apps that are
hosted on-premise, in the public cloud, or both, Prisma Access can become part
of that Colo infrastructure via Colo-Connect. You can configure Colo-Connect
with either a dedicated or partner interconnect provided by GCP
to get up to 20 Gbps throughput per region for private app access.
For example, you have one or more data centers or headquarters locations that
have direct connectivity to the Colo, and you want to connect to Prisma Access
for high-bandwidth, secure private app access. In this case, you could use a
partner interconnect with Prisma Access Colo-Connect to provide users secure
access to the apps. Since the equipment in the Colo is peered to the public
cloud as well as your data center, you could also provide access to any private
apps that are hosted in the public cloud.
Colo-Connect coexists with the existing IPSec tunnel-based service connections,
so if you have a need to provide private app access to smaller data centers that
don’t require high-bandwidth, multi-gigabit throughput, you could also use
service connections to those data centers. You can configure service connections
using BGP routing to make your network compatible with service connections and
Colo-Connect connections.
Private Connectivity for Private Applications
Colo-Connect can leverage a private network for users to access private apps
instead of accessing them over the internet, adding an extra level of control
and security for the private apps.
Using a Third-Party NaaS Provider
In this use case, you’re leveraging third-party Network as a Service
(NaaS) providers such as Megaport and PacketFabric to connect between the Colo
and your applications running in public clouds or with SaaS providers such as
salesforce.com or Box. You want to establish network connectivity between the
third-party networks and Prisma Access to provide high-bandwidth access to the
connected services, clouds, and applications. You can:
Use networking equipment from a NaaS provider as a hub to
provide connectivity between users and applications running in public
cloud VPCs or public SaaS providers in a given region.
Establish BGP session between the NaaS provider’s networking
equipment and Prisma Access.
Using third-party NaaS solutions with Prisma Access Colo-Connect has not been
validated by Palo Alto Networks. You are advised to evaluate supported
capabilities with the third-party provider, including setting up an
interconnect to GCP and creating GRE tunnels to Prisma Access for the
Colo-Connect service connections.
How is Colo-Connect Different from Service Connections and ZTNA Connector?
Palo Alto Networks offers three ways to secure access to private applications: service connections, ZTNA Connector, and Colo-Connect. Service connections and
ZTNA Connector both secure access to private applications over the internet, while
Colo-Connect establishes a private connection to your data center. See the table
below for a comparison of bandwidth and differentiating factors.
