In today's blog post, let's dive into the specifics of Prisma Access Service Connections (SC) and Remote Networks (RN). If you're just getting started with Prisma Access, or need a quick refresher, I highly recommend checking out my introductory post on the topic here. Understanding the key differences between SC and RN is crucial for anyone working with Prisma Access, especially when it comes to making informed decisions about your network's design and security.
TL;DR
If you're looking for a straightforward answer, here it is - Choose Remote Networks (RN) if you need to enforce security policies and require Internet access from the sites. Otherwise, Service Connections (SC) might be the better option.
Let's consider a branch office as an example. Typically, a branch office doesn't need to host services or applications that require inbound access. What it does need, however, is a reliable and secure way to access the Internet. This is where RN comes into play, as it's perfectly suited for this need. On the flip side, a Data Center usually houses services and applications that do require inbound access, often from remote access users or users in branch offices. In such cases, a Service Connection is the ideal choice as it facilitates this kind of access efficiently.
If you are looking for a detailed explanation, read further.
Prisma Access Service Connection
A Service Connection in Prisma Access is designed primarily for connecting to data centers or headquarters with services/applications. This type of connection is characterized by having no bandwidth limits (more on this later). It's very important to note, though, that Service Connections do not include capabilities for filtering, restricting, or inspecting traffic. This is because it's expected that firewalls and security policies are already in place at these larger sites.
Traffic from a Service Connection can be directed to Mobile Users, other Service Connections, and Remote Networks. However, it's key to remember that this traffic cannot directly egress to the internet.
Service Connection Bandwidth
Each Prisma Access service connection is not bandwidth capped, but each service connection can provide approximately 1 Gbps of throughput. For most, this bandwidth is usually sufficient to access internal resources in a headquarters or data center location. If you have a headquarters or data center location that requires additional service connection bandwidth, you can configure multiple service connections to that location.
Prisma Access Remote Network
Remote Networks are suitable for branch offices, particularly those without significant NGFW capabilities. One of their key features is the ability to filter and inspect traffic. This adds an important layer of security for locations that might not have extensive security measures in place. Additionally, Remote Networks allow for Internet egress, which means that internet-bound traffic from these branches goes through Prisma Access.
A typical scenario for using a Remote Network might be an office with around 10-100 users. You would set up a Remote Network tunnel from your on-premises router or firewall (it could be any IPSec complaint device). The default route on this on-premises router should point to the Remote Network tunnel, redirecting all traffic through Prisma Access for security and control.
Remote Network Bandwidth
Pricing for Remote Networks is based on bandwidth usage. You pay for a specific amount of bandwidth, which you can then allocate across your various remote networks as needed. Starting with Prisma 1.8 deployments, bandwidth is allocated at an aggregate level per compute location.
Each location has a corresponding compute location for which bandwidth is allocated, and all sites you onboard in a compute location share that allocated bandwidth. For example, let's say you want to onboard three branch offices using remote networks in the Belarus, Finland, and Norway locations. All these locations map to the Europe North compute location. If 1000 Mbps of bandwidth is allocated to this compute location, all three branch offices will share the 1000 Mbps of bandwidth.
Conclusion
In summary, a Service Connection operates under the assumption that you already have a firewall and other security measures in place at your site, and thus, it doesn't provide additional security enforcement. On the other hand, a Remote Network is designed for scenarios where such security infrastructure is not present and requires security enforcement.