Colocation provides a strategic advantage by allowing enterprises to leverage purpose-built data center infrastructure and technologies without the associated high CAPEX, while also enhancing operational flexibility and reducing risks.
Additionally, colocation can help enterprises reduce latency and improve application performance by having their IT infrastructure closer to the cloud providers, as well as connecting their existing data center infrastructure.
Enterprises who want a reliable and hassle-free solution for designing high-bandwidth, low-latency private connections with seamless Layer 2/3 connectivity from SASE cloud service to their enterprise Colo facilities, look no further than Prisma Access Colo-Connect.
Prisma Access Colo-Connect leverages the cloud native GCP interconnect technology to provide high-bandwidth service connections to enterprises’ private applications with the following capabilities:
A major retail corporation, with an established network presence in a Colo performance hub and a customer of Prisma Access, is planning to consolidate its regional data centers and headquarters. The objective is to establish direct connectivity to their Colo facilities across multiple regions to facilitate high-bandwidth, low-latency secure access to private applications, ensuring 10 Gbps to 20 Gbps throughput for mobile users and those at remote sites.
The corporation sets up Colo-Connect utilizing dedicated or partner interconnects provided by Google Cloud Platform (GCP), which supports up to 20 Gbps throughput per region. This connectivity ensures that high data transfer rates are maintained consistently across all locations.
Since the Colo equipment is peered to the public cloud and the corporation's data center, it can also give access to any private apps hosted in the public cloud with better performance.
Colo-Connect is designed to coexist with the existing Service Connection deployments. This allows the corporation to continue providing access to private applications in smaller data centers that do not require the higher bandwidth. These service connections are managed through Border Gateway Protocol (BGP) routing, ensuring network compatibility between both high and low-bandwidth environments.
A prominent financial institution, already utilizing Prisma SASE for its cloud-delivered security services. They are also multi-cloud, with GCP, AWS and Azure peering via the Colo hubs. From next year, they are facing new stringent requirements from its global Infosec team. The new mandate stipulates that private application traffic must not traverse the public internet starting next year. Current IPSec tunnels from service connections to their regional colocation (colo) hubs and major data centers are not sufficient to meet these security demands.
To adhere to these new security policies and ensure compliance, the institution has decided to deploy Prisma Access Colo-Connect. This design involves establishing a private connection using dedicated or partner interconnects provided by Google Cloud Platform (GCP), which offers up to 20 Gbps of throughput per region. This setup ensures that all traffic is securely dropped directly to their colo racks without passing through the public internet.
In addition, by channeling all private app traffic through Colo-Connect, the institution enhances its security posture, leveraging holistic security services that include Zero Trust Network Access (ZTNA) 2.0. This implementation aligns with the regulatory requirements and meets the stringent internal security policies set by the global Infosec team.
A mid-sized manufacturing company is seeking to enhance its network infrastructure by integrating third-party Network as a Service (NaaS) solutions such as Megaport and PacketFabric. The goal is to establish seamless, high-bandwidth connectivity between the company's colocation (colo) facilities and its cloud-based applications, including SaaS platforms like Salesforce.com and Box.
The company utilizes networking equipment provided by a NaaS provider, configured as a hub within the regional data centers. This hub acts as the central point for routing traffic between the company’s users and their applications hosted in public cloud Virtual Private Clouds (VPCs) or directly with SaaS providers.
To ensure secure and efficient routing, the company establishes Border Gateway Protocol (BGP) sessions between the NaaS provider’s networking equipment and Prisma Access Colo-connect. This setup provides a robust security layer and enhances the connectivity to cloud services.
The integration with Prisma Access Colo-Connect ensures that all data transmitted between the colo, cloud services, and SaaS applications remains secure, meeting stringent compliance requirements.
| Ensuring access to the Colo facility provider | For example, customers will need access to the Equinix Customer Portal |
| Involving accountable teams in the design process |
Security, Networking, Facility and Colo teams might need to deploy Colo-Connect jointly. |
| Checking GRE and BGP is supported on CPE |
Colo-Connect service connections use GRE tunnels as overlay |
|
Determining between GCP partner or dedicated interconnect based on business and project requirements |
Partner Interconnect: A pairing key from Prisma Access is required for partner interconnects. You receive this key during Prisma Access onboarding. If you create a partner interconnect, make sure that the service provider (SP) is a supported service provider with GCP and the connectivity between the SP and GCP is already established.
Dedicated Interconnect: Determine the location of the Colo where the cross-connect cable will be connected before you begin onboarding in Prisma Access. The Colo location is required for Palo Alto Networks to order the dedicated link. Be familiar with the basic network interconnections to configure the circuits. Upon provisioning the dedicated interconnect and receiving ebgp information from GCP, customers need to configure the ebgp over the dedicated interconnect vlan first and test the underlay connectivity. |
There are two types of costs accrue to Prisma Access Colo Connect customer:
GCP Interconnect charges accrue to Prisma Access that owns the VLAN attachment. Customers are not billed extra and don’t need to deal with GCP in order to provision interconnect links under their titles.
In the case of deployment requiring more than 16 connections, or any GCP related issues, customers contact Palo Alto Networks representative, and the Prisma Access team will engage with GCP.
Below table explains Prisma Access Colo-Connect and Service-Connection licensing:
For customers already deployed IPSec-Based Service Connections, it is recommended to deploy Colo-Connect and IPSec tunnel-based service connections in different regions, since there was limited support to rebalance Mobile User Security
Process Node(MU-SPN) peering with SC-CAN and Colo-SC.
From Prisma Access 5.1, Colo-SC will gain additional preference compared to regular SC so that MU-SPN will rebalance with Colo-SC in the same region according to bandwidth weight.
Prisma Access Colo-Connect Admin Guide
