Optimizing Secure Access to Private Applications with Prisma Access Colo-Connect

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

Fig 10_Prisma-Access-Colo-Connect_palo-alto-networks.png




Colocation provides a strategic advantage by allowing enterprises to leverage purpose-built data center infrastructure and technologies without the associated high CAPEX, while also enhancing operational flexibility and reducing risks.


Additionally, colocation can help enterprises reduce latency and improve application performance by having their IT infrastructure closer to the cloud providers, as well as connecting their existing data center infrastructure.


Enterprises who want a reliable and hassle-free solution for designing high-bandwidth, low-latency private connections with seamless Layer 2/3 connectivity from SASE cloud service to their enterprise Colo facilities, look no further than Prisma Access Colo-Connect.


Prisma Access Colo-Connect leverages the cloud native GCP interconnect technology to provide high-bandwidth service connections to enterprises’ private applications with the following capabilities:



Colo-Connect Use Cases: 


High-Bandwidth Secure Access to Private Apps 

A major retail corporation, with an established network presence in a Colo performance hub and a customer of Prisma Access, is planning to consolidate its regional data centers and headquarters. The objective is to establish direct connectivity to their Colo facilities across multiple regions to facilitate high-bandwidth, low-latency secure access to private applications, ensuring 10 Gbps to 20 Gbps throughput for mobile users and those at remote sites. 


The corporation sets up Colo-Connect utilizing dedicated or partner interconnects provided by Google Cloud Platform (GCP), which supports up to 20 Gbps throughput per region. This connectivity ensures that high data transfer rates are maintained consistently across all locations. 


Since the Colo equipment is peered to the public cloud and the corporation's data center, it can also give access to any private apps hosted in the public cloud with better performance. 


Colo-Connect is designed to coexist with the existing Service Connection deployments. This allows the corporation to continue providing access to private applications in smaller data centers that do not require the higher bandwidth. These service connections are managed through Border Gateway Protocol (BGP) routing, ensuring network compatibility between both high and low-bandwidth environments. 


Private Connectivity for Private Applications 

A prominent financial institution, already utilizing Prisma SASE for its cloud-delivered security services. They are also multi-cloud, with GCP, AWS and Azure peering via the Colo hubs. From next year, they are facing new stringent requirements from its global Infosec team. The new mandate stipulates that private application traffic must not traverse the public internet starting next year. Current IPSec tunnels from service connections to their regional colocation (colo) hubs and major data centers are not sufficient to meet these security demands. 


To adhere to these new security policies and ensure compliance, the institution has decided to deploy Prisma Access Colo-Connect. This design involves establishing a private connection using dedicated or partner interconnects provided by Google Cloud Platform (GCP), which offers up to 20 Gbps of throughput per region. This setup ensures that all traffic is securely dropped directly to their colo racks without passing through the public internet. 


In addition, by channeling all private app traffic through Colo-Connect, the institution enhances its security posture, leveraging holistic security services that include Zero Trust Network Access (ZTNA) 2.0. This implementation aligns with the regulatory requirements and meets the stringent internal security policies set by the global Infosec team. 


Third-Party NaaS Provider Integration 

A mid-sized manufacturing company is seeking to enhance its network infrastructure by integrating third-party Network as a Service (NaaS) solutions such as Megaport and PacketFabric. The goal is to establish seamless, high-bandwidth connectivity between the company's colocation (colo) facilities and its cloud-based applications, including SaaS platforms like Salesforce.com and Box. 


The company utilizes networking equipment provided by a NaaS provider, configured as a hub within the regional data centers. This hub acts as the central point for routing traffic between the company’s users and their applications hosted in public cloud Virtual Private Clouds (VPCs) or directly with SaaS providers. 


To ensure secure and efficient routing, the company establishes Border Gateway Protocol (BGP) sessions between the NaaS provider’s networking equipment and Prisma Access Colo-connect. This setup provides a robust security layer and enhances the connectivity to cloud services. 


The integration with Prisma Access Colo-Connect ensures that all data transmitted between the colo, cloud services, and SaaS applications remains secure, meeting stringent compliance requirements. 


A Deployment Journey


To begin the Colo-Connect deployment 

Ensuring access to the Colo facility provider For example, customers will need access to the Equinix Customer Portal
Involving accountable teams in the design process

Security, Networking, Facility and Colo teams might need to deploy Colo-Connect jointly.

Checking GRE and BGP is supported on CPE

Colo-Connect service connections use GRE tunnels as overlay

Determining between GCP partner or dedicated interconnect based on business and project requirements

Partner Interconnect: A pairing key from Prisma Access is required for partner interconnects. You receive this key during Prisma Access onboarding. If you create a partner 

interconnect, make sure that the service provider (SP) is a supported service provider with GCP and the connectivity between the SP and GCP is already 



Dedicated Interconnect: Determine the location of the Colo where the cross-connect cable will be connected before you begin onboarding in Prisma Access. The Colo location is required for Palo Alto Networks to order the dedicated link. 

Be familiar with the basic network interconnections to configure the circuits. Upon provisioning the dedicated interconnect and receiving ebgp information from GCP, customers need to configure the ebgp over the dedicated interconnect vlan first and test the underlay connectivity.


Understand the licensing and billing: 

There are two types of costs accrue to Prisma Access Colo Connect customer:


  • Prisma Access Colo-Connect and Service-Connection licenses 
  • Existing bills from customers’ Colo providers, such as rack space, power, connectivity, smart hands and so on. 


GCP Interconnect charges accrue to Prisma Access that owns the VLAN attachment. Customers are not billed extra and don’t need to deal with GCP in order to provision interconnect links under their titles. 


In the case of deployment requiring more than 16 connections, or any GCP related issues, customers contact Palo Alto Networks representative, and the Prisma Access team will engage with GCP. 


Below table explains Prisma Access Colo-Connect and Service-Connection licensing: 


Fig 2_Prisma-Access-Colo-Connect_palo-alto-networks.png


Fig 3_Prisma-Access-Colo-Connect_palo-alto-networks.png



Interoperability with regular service connection (SC-CAN) 

For customers already deployed IPSec-Based Service Connections, it is recommended to deploy Colo-Connect and IPSec tunnel-based service connections in different regions, since there was limited support to rebalance Mobile User Security 

Process Node(MU-SPN) peering with SC-CAN and Colo-SC


From Prisma Access 5.1, Colo-SC will gain additional preference compared to regular SC so that MU-SPN will rebalance with Colo-SC in the same region according to bandwidth weight.


Fig 4_Prisma-Access-Colo-Connect_palo-alto-networks.png

High Level Configuration Workflow

Fig 5_Prisma-Access-Colo-Connect_palo-alto-networks.png

Fig 6_Prisma-Access-Colo-Connect_palo-alto-networks.pngFig 7_Prisma-Access-Colo-Connect_palo-alto-networks.png

Fig 8_Prisma-Access-Colo-Connect_palo-alto-networks.png


Appendix and References 


Prisma Access Colo-Connect Admin Guide 


Supported Prisma Access locations for Colo-Connect and GCP region mapping

Fig 9_Prisma-Access-Colo-Connect_palo-alto-networks.png



Rate this article:
  • 268 Subscriptions
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎05-17-2024 03:08 PM
Updated by: