Prisma Access Service Connections
Focus
Focus

Prisma Access Service Connections

Table of Contents

Prisma Access Service Connections

Learn how service connections work in a Prisma Access deployment.
A service connection, also known as a Corporate Access Node (CAN), allows mobile users and users at remote networks access to internal resources and lets your mobile users and remote networks communicate with each other. Palo Alto Networks recommends always creating a service connection in your Prisma Access deployment. All service connection have these characteristics:
  • A service connection allows access to the resources in your HQ or data center.
    For example, if your security policy requires user authentication using an on-premises authentication service, such as your Active Directory, you will need to enable Prisma Access to access the corporate location where the service resides (and set up a service account that the service can use to access it). Similarly, if you have corporate resources that your remote networks and mobile users will need to access, you must enable Prisma Access to access the corresponding corporate network.
    If you create service connections for this reason, you should plan for the service connections before implementing them.
  • A service connection allows remote networks and mobile users to communicate with each other.
    Even if you don’t need access to your HQ or data center, you might have a need to allow your mobile users to access your remote network locations. In this case, you can create a service connection with placeholder values. This is required because, while all remote network connections are fully meshed, mobile users connect to remote networks using the service connection in a hub-and-spoke network. For this reason, you might also create a service connection with placeholder values if your existing service connection is not in an ideal geographical location.
  • Service connections do not support language localization because egress to the internet is not supported over service connections. Prisma Access allocates only one service IP address per service connection, and that IP address is geographically registered to the compute location that corresponds to the location you specify during onboarding.
The number of service connections you receive depends on your Prisma Access license.
  • If you have a ZTNA or Enterprise license, the number of service connections depends on your License edition. If you have a Local edition, you can configure a maximum of two service connections; f you have a Worldwide edition, you can configure a maximum of five service connections.
  • If you manage multiple tenants and have a ZTNA or Enterprise license, the number of service connections per tenant depends on the number of units you allocate per tenant and the type of license you have.
    • If you have a Global license and allocate at least 1,000 units for a tenant, you can allocate a maximum of five service connections for that tenant.
    • If you have a Global license and allocate between 200 and 999 units for a tenant, you can allocate a maximum of two service connections for that tenant (the same as the number of connections for a Local deployment).
    • If you have a Local license, you can allocate a maximum of two service connections per tenant, regardless of the number of units you allocate past the minimum of 200.
    For both Global and Local licenses, you can purchase additional licenses for service connections if more are required.
While each service connection provides approximately 1 Gbps of throughput, the actual throughput is dependent on several factors, including:
  • Traffic mix (for example, frame size)
  • Latency and packet loss between the service connection and the headquarters location or data center
  • Service provider performance limits
  • Customer termination device performance limits
  • Other customer data center traffic