Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment
Focus
Focus

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Table of Contents

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Learn how to plan from a deployment that allocates bandwidth by Prisma Access location to one that aggregates bandwidth by compute location.
Bandwidth for new Prisma Access remote network deployments are allocated at an aggregate level per compute location, also known as the aggregate bandwidth model. Allocating bandwidth at a compute location level offers you more flexibility in allocating your licensed remote network bandwidth, because Prisma Access dynamically allocates the bandwidth for each location based on load or demand.
If you have an existing deployment that allocates bandwidth by Prisma Access location, you can migrate to the aggregate bandwidth model. When you migrate, all remote networks use the aggregate bandwidth model.
Use the following checklist to plan for the migration to the aggregate bandwidth model:
  • Note the following remote network components that remain unchanged after migration:
    • There are no changes to the dataplane. Traffic continues to flow through the Prisma Access dataplane without any change to the existing configuration.
    • The migration does not impact existing tunnels.
      No reconfiguration of your IPSec tunnel parameters are required. IKE gateways, IKE and IPSec crypto profiles, and IPSec tunnel configurations remain unchanged.
    • The remote network Service IP Address (the public IP addresses used on the Prisma Access side of the IPSec tunnel for the remote network connection) does not change for each remote network when you migrate your deployment to the aggregate bandwidth model.
  • Prisma Access assigns IPSec termination nodes and allocates bandwidth to remote networks during a migration to the aggregate bandwidth model. You should understand how bandwidth allocation works before you migrate.
    If you want to reassign an existing remote network to another IPSec termination node after migration, Prisma Access assigns another Service IP Address to the remote network after you commit and push your changes. In this case, you will need to reconfigure your CPE to point to the new IP address for the remote network tunnel.
  • If you have an unsupported configuration, you will not see the Bandwidth Allocation tab or view the banner to migrate. The following configurations are not supported for migration to the aggregate bandwidth model:
    • A remote network with a bandwidth of 1000 Mbps.
    • A Prisma SD-WAN CloudBlade integration with Prisma Access that has a version earlier than 3.0.
    • An existing QoS configuration. You can, however, implement QoS after you migrate, by following the guidelines in this section.
    • A remote network configuration that provides secure inbound access to applications at a remote network site earlier than 2.1 Innovation.
  • If you’re not sure which bandwidth allocation model your deployment is using, Select PanoramaCloud ServicesConfigurationRemote Networks.
    • If you see a Bandwidth field in the Remote Networks area, you are allocating bandwidth by Prisma Access location, and you can migrate to the aggregate bandwidth model.
    • If you see an IPSec Termination Node, you have already migrated to the aggregate bandwidth model.
  • After you migrate to the aggregate bandwidth model, the change is permanent and you cannot revert to having a deployment that allocates bandwidth by Prisma Access location.
  • You must have a minimum of 50 Mbps of available bandwidth to migrate to the aggregate bandwidth model.
  • If you want to implement QoS after migration, learn the differences about configuring QoS for an aggregate bandwidth deployment.
    • Be sure to use a Class Bandwidth Type of Percentage instead of Mbps in your QoS profiles. Prisma Access does not support bandwidth types of Mbps in QoS profiles for deployments that allocate bandwidth by compute location.
    • Understand how to specify a guaranteed bandwidth ratio and how to customize bandwidth per site.
      Using a guaranteed bandwidth ratio, you can allocate a percentage of the total allocated bandwidth in the compute location. Prisma Access divides the guaranteed bandwidth equally by the number of IPSec termination nodes in the compute location.
      By customizing the bandwidth per site, you can apply an Allocation Ratio for the sites an a single IPSec termination node and specify QoS profiles per site in the remote network Settings. Alternatively, you can specify a QoS profile during remote network configuration by selecting the remote network and specifying a QoS profile in the QoS tab.
  • If you have configured your remote networks to provide secure inbound access to your remote network locations, all existing inbound access features are supported, such as enabling a secondary WAN link (Enable Secondary WAN), BGP, QoS and source NAT options. There is also no change to the bandwidth that is consumed by the public IP addresses that Prisma Access allocates (5 IP addresses take 150 Mbps from your remote network license allocation, and 10 IP addresses take 300 Mbps).
    If you need to configure inbound access after you migrate, use the inbound access procedure that is specific to the aggregate bandwidth model.
  • Palo Alto Networks recommends that you take a note of your existing bandwidth settings and total licensed bandwidth before you migrate.
    Although Prisma Access migrates your bandwidth during migration; you should note your current settings as a best practice and make any adjustments to the compute location bandwidth after you migrate.
    • Check your existing bandwidth settings by selecting PanoramaCloud ServicesConfigurationRemote Networks and make a note of the existing Bandwidth that is available for each remote network connection.
    • Navigate to PanoramaLicenses and check your total licensed bandwidth in Mbps for remote networks. This information is included under Prisma Access Net Capacity or GlobalProtect Cloud Service for Mobile Users, depending on your license type.
After you migrate, make a note of the following differences to your deployment:

Bandwidth Allocation for a Migrated Aggregate Bandwidth Deployment

If you have a deployment that allocates bandwidth by Prisma Access location, Prisma Access makes the following changes when you migrate to the aggregate bandwidth model:
  • Prisma Access sums the bandwidth for all locations in a given compute location and allocates the summed bandwidth to that compute location.
    For example, you have three locations (Location 1, Location 2, and Location 3) in the Mexico West, US Southwest, and US West locations, and each existing location has 50 Mbps of bandwidth. Since each location is in the US Southwest compute location, Prisma Access sums the bandwidth of the three locations and allocates 150 Mbps of bandwidth to the US Southwest location.
  • If all the location or locations in a compute location have a total bandwidth of less than 50 Mbps, Prisma Access will increase the bandwidth to 50 Mbps for that compute location. Prisma Access provides you with the locations that require the bandwidth increase during the migration process.
  • Prisma Access uses IPSec termination nodes in aggregate bandwidth deployments. During migration, Prisma Access provides one IPSec termination node per compute location for every 500 Mbps of allocated bandwidth. For example, if you allocate 800 Mbps of bandwidth in a compute location, Prisma Access provides that location with two IPSec termination nodes.
    You assign IPSec termination nodes to a remote network during remote network onboarding. In an aggregate bandwidth migration, Prisma Access associates the IPSec termination nodes to the remote networks during migration. The following list provides some examples of IPSec termination node association for a migration:
    • If you have four remote networks that are in the same compute location, and those locations has 50 Mbps each of bandwidth each, Prisma Access allocates 200 Mbps of bandwidth to that compute location, provides a single IPSec termination node to that compute location, and associates that IPSec termination node to all four remote networks.
    • If you have three remote networks in the same compute location with 100 Mbps each, Prisma Access allocates 300 Mbps of bandwidth to that compute location, provides a single IPSec termination node to that compute location, and associates that IPSec termination node to all three remote networks.
    • If you have four remote networks in the same compute location, with one remote network having 500 Mbps and three remote networks having 100 Mbps each, Prisma Access allocates 800 Mbps of bandwidth to that compute location. Because the total allocated bandwidth in that compute location is greater than 500 Mbps, Prisma Access allocates two IPSec termination nodes and makes the following associations:
      • The 500 Mbps remote network is assigned one IPSec termination node.
      • The three 100 Mbps remote networks are assigned one IPSec termination node.
    After you migrate, you can change the IPSec termination node association to increase bandwidth for a location. For example, given a compute location with two IPSec termination nodes, you could reassign a single IPSec termination node to a single location and reassign the other IPSec termination node to the remaining locations, which effectively provides the location that does not share an IPSec termination node with more bandwidth.