Requirements and Prerequisites for Prisma Access Colo-Connect
Focus
Focus
Prisma Access

Requirements and Prerequisites for Prisma Access Colo-Connect

Table of Contents

Requirements and Prerequisites for Prisma Access Colo-Connect

Configure a Colo-Connect deployment in Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • A Prisma Access (Managed by Panorama) deployment running a minimum Cloud Services plugin version of 4.1 and a minimum dataplane version of 10.2.4
  • A Colo-Connect add-on license
Before you start Colo-Connect onboarding and configuration, be aware of the required information and prerequisites by following this checklist.
  • Make sure that you have access to the Colo facility provider (for example, you have access to the Equinix Customer Portal).
  • Make sure that your CPE can support GRE and BGP.
    Colo-Connect service connections use GRE tunnels.
  • Decide which interconnect type you will use for Colo-Connect (a partner or dedicated interconnect).
    • Partner Interconnect—A pairing key from Prisma Access is required for partner interconnects. You receive this key during Prisma Access onboarding.
      If you create a partner interconnect, make sure that the service provider (SP) is an approved SP with GCP and the connectivity between the SP and GCP is already established.
    • Dedicated Interconnect
      • Determine the location of the Colo where the cross-connect cable will be connected before you begin onboarding in Prisma Access. The Colo location is required for Palo Alto Networks to order the dedicated link
      • Be familiar with the basic network interconnections so that you can configure the circuits.
      • After you provision the dedicated interconnect, you must test it.
  • Subnet Requirements—Determine the RFC-1918 IPv4 subnets you will use for each Colo-Connect connection per region. Prisma Access uses these subnets for internal communication and networking.
    Make the subnets unique among all Colo-Connect regions in a given tenant. The Colo-Connect subnet can't overlap with the Prisma Access infra subnet and mobile users pool. Use a minimum subnet size of /28.
  • Link (Interconnect) Requirements—Follow these guidelines when configuring links:
    • Each Colo-Connect add-on license includes one link of 10 Gbps capacity. You need a minimum of two links, which means you need to purchase a minimum of two licenses in a Colo-Connect deployment.
    • Onboard two links in each region.
      Both of these links should be in different availability zones (edge domains).
    • (Dedicated interconnect deployments only) If you want to onboard more than six links in a tenant, reach out to your Palo Alto Networks account representative or partner, who will contact the Site Reliability Engineering (SRE) team and submit a request to increase the quota for a given tenant.
  • Connection Requirements
    • Onboard two connections in each region.
      Both connections should be in different edge domains.
    • Connections in active/backup or active/active mode must be the same bandwidth.
    • Decide whether you want to set up your connections in an active/active or active/backup configuration.
  • Colo-Connect Service Connection Requirements
    • Each service connection requires two connections.
    • Each connection for a given service connection must be on a different link and a different edge domain.
    • Make a note of the addresses that you will use as the BGP IP address with colo-router and the GRE tunnel local IP addresses. You use these addresses during service connection creation.
    • Service connections must be on the same link type (either Partner Interconnect links or Dedicated Interconnect links).
  • Interoperability with existing IPSec-Based Service Connections—Palo Alto Networks strongly recommends that you deploy Colo-Connect and IPSec tunnel-based service connections in different regions. In addition, if you're migrating from an IPSec tunnel-based service connection to a Colo-Connect service connection, you must schedule a maintenance window. After you have migrated from an IPSec tunnel-based service connection to a Colo-Connect service connection, remove the IPSec-based service connection after the Colo-Connect service connection is up and running and before the maintenance window expires.