A service connection, also known as a Corporate Access Node (CAN), allows mobile users and users
at remote networks access to private apps and resources and lets your mobile users and
remote networks communicate with each other.
In addition to Service Connections, Palo Alto Networks provides you with other services
you can use to access private apps:
ZTNA Connector—The Zero Trust Network Access (ZTNA)
Connector lets you connect
to your organization's private apps
simply and securely. ZTNA Connector provides mobile users and users at branch
locations access to your private apps using an automated secure tunnel. You can
also automatically discover private
apps for ZTNA to protect using the Cloud Identity Engine.
to secure private apps using a cloud interconnect that can
provide high-bandwidth service connections.
Palo Alto Networks recommends always creating a service connection in your
deployment. All service connections have these characteristics:
A service connection allows access to the resources in your HQ or data center.
For example, if your security policy requires user authentication using an
on-premises authentication service, such as your Active Directory, you will need
to access the corporate location where the service
resides (and set up a service account that the service can use to access it).
Similarly, if you have corporate resources that your remote networks and mobile
users will need to access, you must enable
to access the
corresponding corporate network.
If you create service connections for this reason, you should plan for the
service connections before implementing them.
A service connection allows remote networks and mobile users to communicate with
Even if you don’t need access to your HQ or data center, you might have a need to
allow your mobile users to access your remote network locations. In this case,
you can create a service connection with placeholder values. This is required
because, while all remote network connections are fully meshed, mobile users
connect to remote networks using the service connection in a hub-and-spoke
network. For this reason, you might also create a service connection with
placeholder values if your existing service connection is not in an ideal
Service connections do not support language localization because egress to the
internet is not supported over service connections.
one service IP address per service connection, and that IP address is
geographically registered to the compute location that
corresponds to the location you specify during onboarding.
The number of service
connections you receive depends on your
If you have a ZTNA or Enterprise license, the number of service connections
depends on your License edition. If you have a Local edition, you can configure
a maximum of two service connections; if you have a Worldwide edition, you can
configure a maximum of five service connections.
The ZTNA Connector lets you connect
to your organization's
private apps. ZTNA Connector provides mobile users and users at branch
locations access to your private apps using an automated secure tunnel. For
more information, see Prisma Access ZTNA Connector.
If you manage multiple tenants and
have a ZTNA or Enterprise license, the number of service connections per tenant
depends on the number of units you allocate per tenant and the type of license
If you have a Global license and allocate at least 1,000 units for a
tenant, you can allocate a maximum of five service connections for that
If you have a Global license and allocate between 200 and 999 units for a
tenant, you can allocate a maximum of two service connections for that
tenant (the same as the number of connections for a Local
If you have a Local license, you can allocate a maximum of two service
connections per tenant, regardless of the number of units you allocate
past the minimum of 200.