Secure Access Help Center

Requirements and Prerequisites for Resource Connectors and Connector Groups

This topic includes requirements, prerequisites, and guidelines for resource connectors and connector groups.

Guidelines for Connector Groups

  • Generally, Cisco recommends deploying one resource connector group for each data center, branch office, or security zone that contains private resources that remote users must reach.
  • A single location can have multiple connector groups that send traffic to discrete sets of resources.
  • A single connector group that sends traffic to resources in multiple locations is not recommended.
  • For configuration guidelines for resource connector groups for private resources residing in multiple locations, see Private Resource Configuration Examples.

When adding connectors to a group:

  • All connectors in a group must be deployed in the same environment, for example AWS or VMware.
  • The instance type for all connectors in a group must be identical for accurate load balancing.
  • Each connector in a connector group must be able to reach all of the private resources assigned to the connector group.

Connector Group Region

When you create a connector group, you must choose a Secure Access region, which should be as close as possible to the location in which the private resources that will be associated with the group reside.

Choose the region for your connector groups carefully. You cannot change the region associated with a connector group.

If you need to change the region, you must create a new connector group associated with the new region, deploy connectors in that group, then delete the original connector group and its connectors.

Redundancy Across Connector Groups

To provide redundancy across connector groups, deploy multiple connector groups, each associated with the same private resources.

To provide redundancy across regions, associate each redundant connector group with a different region.

After you configure redundancy, Secure Access will direct incoming zero trust access user requests to the nearest region that has a connector group associated with that resource.

Requirements and Guidelines for Connectors

  • Supported platforms for connectors: AWS and VMware ESXi
  • Requirements for AWS:
    • An AWS account is required
    • Connector requirements:
      • Required architecture: Intel x86_64/AMD64
      • Required instance type for deployments in production environments: C5.xlarge
  • Requirements for VMware ESXi:
    • vSphere version 7.0.2
    • 2-core CPU
    • 4 GB memory
    • Recommended: Use an NTP server on your own network; if you use an NTP server on the internet, be sure to allow traffic to that address on UDP port 123.
  • Connector IP addresses:
    • Must be IPv4; IPv6 is not supported.
    • Cannot use any address reserved for use by Secure Access. See information about addresses reserved for Resource Connectors on Network Requirements for Secure Access.
    • For maximum connector throughput capacity, DTLS and TLS connections must originate from the same IP address. If the originating IP addresses are different, TLS connections will be used, with a significant reduction in throughput.
  • For maximum connector throughput capacity, DTLS is required. Connections are downgraded to TLS if the originating IP addresses for the connections to Secure Access are different or UDP connections are blocked.
  • Deploy connectors in the same data center, branch office, or security zone location as the private resources to which they will send traffic.
  • Each connector in a connector group must be able to reach all of the private resources assigned to the connector group.
  • All connectors must be able to reach the Secure Access cloud. See the Connectivity Requirements section on this page.
  • Connectors support only a single network interface.

Connectivity Requirements

Resource connectors must be able to reach the Secure Access destinations described at Allow Resource Connector Traffic to Secure Access.

Public-facing IP addresses are NOT needed.

Capacity Requirements

The number of connectors you will deploy within a connector group depends on the volume of traffic you expect.

  • Estimate the maximum expected volume of traffic to the resources in the data center, branch office, or security zone that the connector group will connect traffic to.
  • When you add a connector group, the wizard will suggest a suitable number of connectors to deploy based on the estimated traffic volume you provide.
    The recommended number of connectors assumes the recommended instance type, 75% CPU usage, and DTLS connectivity, and includes a connector instance for redundancy.
  • For connectors having the recommend instance type, throughput using DTLS is 500 mbps fully loaded (400 at the recommended 75% load). Throughput using TLS is 250 mpbs.
    If your actual capacity is less than expected, see Troubleshoot Resource Connectors and Connector Groups.
  • To determine the number of connectors needed for an existing connector group, see Determine the Number of Connectors Needed in a Connector Group.
  • For redundancy, (for example, to avoid service interruptions during connector upgrades), you should deploy at least two connectors in each group.
  • For the maximum number of connectors and connector groups per organization, see Limitations and Range Limits.
    • You can deploy up to the maximum number of connectors in a group for load balancing and scalability.
    • You can associate up to the maximum number of connector groups with any region.
    • If you require greater capacity, contact your Cisco representative.
  • Your network must be able to support the traffic volume that you specify.

Manage Resource Connectors and Connector Groups <Requirements and Prerequisites for Resource Connectors and Connector Groups> Allow Resource Connector Traffic to Secure Access

Updated about 2 months ago