Prisma Access Service Connections
Focus
Focus
Prisma Access

Prisma Access Service Connections

Table of Contents

Prisma Access
Service Connections

Learn how service connections work in a
Prisma Access
deployment.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
A service connection, also known as a Corporate Access Node (CAN), allows mobile users and users at remote networks access to private apps and resources and lets your mobile users and remote networks communicate with each other.
In addition to Service Connections, Palo Alto Networks provides you with other services you can use to access private apps:
  • ZTNA Connector—The Zero Trust Network Access (ZTNA) Connector lets you connect
    Prisma Access
    to your organization's private apps simply and securely. ZTNA Connector provides mobile users and users at branch locations access to your private apps using an automated secure tunnel. You can also automatically discover private apps for ZTNA to protect using the Cloud Identity Engine.
  • Prisma Access
    —Colo-Connect allows you to use
    Prisma Access
    to secure private apps using a cloud interconnect that can provide high-bandwidth service connections.
Palo Alto Networks recommends always creating a service connection in your
Prisma Access
deployment. All service connections have these characteristics:
  • A service connection allows access to the resources in your HQ or data center.
    For example, if your security policy requires user authentication using an on-premises authentication service, such as your Active Directory, you will need to enable
    Prisma Access
    to access the corporate location where the service resides (and set up a service account that the service can use to access it). Similarly, if you have corporate resources that your remote networks and mobile users will need to access, you must enable
    Prisma Access
    to access the corresponding corporate network.
    If you create service connections for this reason, you should plan for the service connections before implementing them.
  • A service connection allows remote networks and mobile users to communicate with each other.
    Even if you don’t need access to your HQ or data center, you might have a need to allow your mobile users to access your remote network locations. In this case, you can create a service connection with placeholder values. This is required because, while all remote network connections are fully meshed, mobile users connect to remote networks using the service connection in a hub-and-spoke network. For this reason, you might also create a service connection with placeholder values if your existing service connection is not in an ideal geographical location.
  • Service connections do not support language localization because egress to the internet is not supported over service connections.
    Prisma Access
    allocates only one service IP address per service connection, and that IP address is geographically registered to the compute location that corresponds to the location you specify during onboarding.
The number of service connections you receive depends on your
Prisma Access
license.
  • If you have a ZTNA or Enterprise license, the number of service connections depends on your License edition. If you have a Local edition, you can configure a maximum of two service connections; if you have a Worldwide edition, you can configure a maximum of five service connections.
    • The ZTNA Connector lets you connect
      Prisma Access
      to your organization's private apps. ZTNA Connector provides mobile users and users at branch locations access to your private apps using an automated secure tunnel. For more information, see Prisma Access ZTNA Connector.
  • If you manage multiple tenants and have a ZTNA or Enterprise license, the number of service connections per tenant depends on the number of units you allocate per tenant and the type of license you have.
    • If you have a Global license and allocate at least 1,000 units for a tenant, you can allocate a maximum of five service connections for that tenant.
    • If you have a Global license and allocate between 200 and 999 units for a tenant, you can allocate a maximum of two service connections for that tenant (the same as the number of connections for a Local deployment).
    • If you have a Local license, you can allocate a maximum of two service connections per tenant, regardless of the number of units you allocate past the minimum of 200.
    For both Global and Local licenses, you can purchase additional licenses for service connections if more are required. For service connections in advanced deployments, see Prisma Access Service Connection Advanced Deployments.
Before you can start configuring your service connections, review what information you need to gather first.

Recommended For You