Clean Pipe and Partner Interconnect Requirements
Focus
Focus

Clean Pipe and Partner Interconnect Requirements

Table of Contents

Clean Pipe and Partner Interconnect Requirements

Learn about the requirements you need for Clean Pipe deployments.
Before you start, be aware of the following Clean Pipe deployment requirements, and be aware of the following differences between Prisma Access for Clean Pipe and other Prisma Access deployments:
  • You must have a Prisma Access for Clean Pipe license.
    The Prisma Access for Clean Pipe license is a separate license from other Prisma Access products. However, the same requirements for purchasing and installing Panorama and Strata Logging Service licenses apply to Clean Pipe.
  • Prisma Access for Clean Pipe has the following GCP Partner Interconnect requirements:
    • You must be able to create a Partner Interconnect in GCP.
    • You must have the ability to create VLAN attachments in GCP.
    • For Layer 2 (L2) partner interconnects, you must have access to the customer edge (CE) router on the MSSP side and be able to make configuration changes to it.
    For more information about GCP configuration, refer to the GCP documentation.
  • Be aware of the minimum bandwidth requirements for the Clean Pipe deployment.
    The minimum license you can purchase is 1000 Mbps. The minimum bandwidth allocation for each Clean Pipe tenant is 100 Mbps.
    After you create a tenant, you can create clean pipes in that tenant. Each clean pipe must be a minimum of 100 Mbps. Each Clean Pipe shares the tenant’s access domain, templates and template stack, and device group.
  • If configuring multiple Clean Pipes for a single tenant, each Clean Pipe is required to be a unique location. If you want to configure two VLAN attachments for a single Clean Pipe location in an active/backup configuration for intra-zone redundancy, specify the REDUNDANT choice when you add a new Clean Pipe instance.
  • When creating a connection within a Clean Pipe tenant, match the bandwidth allocation to that of the VLAN attachment. Do not create a VLAN attachment that has a bandwidth that is higher or lower than the connection's bandwidth.
  • After you enable multitenancy, do not configure your Clean Pipe deployment with any of the other tabs in the Configuration area, with the exception of the Generate API key link in the Service Setup tab, which lets you generate an API key to retrieve Clean Pipe IP addresses. All configuration is unique to Prisma Access for Clean Pipe and separate from other Prisma Access deployments, such as Prisma Access for Networks or Prisma Access for Users.
  • Do not make changes to a Clean Pipe configuration after you commit it. If you change a Clean Pipe after it’s been committed, you will receive a commit error when you re-commit it. Instead, delete the existing Clean Pipe and add a new one. Schedule this change during a system downtime window. If you already made changes and have not yet committed, you can revert the changes by editing the Clean Pipe configuration back to their previous values.
  • Note that the locations used by Clean Pipe differ from other Prisma Access deployments. Prisma Access for Clean Pipe supports the following locations:
    • asia-east1
    • asia-east2
    • asia-northeast1
    • asia-south1
    • asia-southeast1
    • australia-southeast1
    • europe-north1
    • europe-west2
    • europe-west3
    • europe-west4
    • northamerica-northeast1
    • southamerica-east1
    • us-central1
    • us-east1
    • us-east4
    • us-west1
    • us-west2
  • Note the following networking restrictions for Clean Pipe:
    • QoS for Clean Pipe is supported on ingress (from internet to Clean Pipe direction) only.
    • User-ID is not supported.
    • Clean Pipe supports session affinity based on source and destination IP addresses and is not configurable.
    • Trust-to-Trust policies are invalid for Clean Pipe, because the traffic is always internet-bound. Only use Trust-to-Untrust policies.