Requirements and Prerequisites for Resource Connectors and Connector Groups

This topic includes requirements, prerequisites, and guidelines for resource connectors and connector groups.

Table of Contents

• Guidelines for Connector Groups
• Requirements and Guidelines for Connectors
• Connectivity Requirements
• Capacity Requirements

Guidelines for Connector Groups

• Generally, we recommend that you deploy one resource connector group for each data center, branch office, or security zone that contains private resources that remote users must reach.
• A single location can have multiple connector groups that send traffic to discrete sets of resources.
• A single connector group that sends traffic to resources in multiple locations is not recommended.
• For configuration guidelines for resource connector groups for private resources residing in multiple locations, see Private Resource Configuration Examples.

When adding connectors to a group:

• Deploy all connectors in a group in the same environment, for example AWS, Microsoft Azure, or VMware.
• For accurate load balancing, the instance type for all connectors in a group must be identical.
• Each connector in a connector group must be able to reach all of the private resources assigned to the connector group.

Connector Group Region

When you create a connector group, choose a Secure Access region that is as close as possible to the location where the private resources that will be associated with the group reside.

Choose the region for your connector groups carefully. You cannot change the region associated with a connector group.

If you need to change the region, you must create a new connector group associated with the new region. Then, deploy connectors in that group and delete the original connector group and its connectors.

Redundancy Across Connector Groups

To provide redundancy across connector groups, deploy multiple connector groups, each associated with the same private resources.

To provide redundancy across regions, associate each redundant connector group with a different region.

After you configure redundancy, Secure Access directs incoming zero trust access user requests to the nearest region that has a connector group associated with that resource.

Requirements and Guidelines for Connectors

• Supported platforms for connectors: AWS, Microsoft Azure, and VMware ESXi.
  • For information about deploying connectors in AWS, see Deploy a Connector in AWS.
  • For information about deploying connectors in Microsoft Azure, see Deploy a Connector in Azure.
  • For information about deploying connectors in VMware, see Deploy a Connector in VMware.
• Connector IP addresses:
  • Connectors support IPv4 addresses. IPv6 is not supported.
  • You cannot use any address reserved for use by Secure Access. For information about addresses reserved for Resource Connectors, see Network Requirements for Secure Access.
  • For maximum connector throughput capacity, DTLS and TLS connections must originate from the same IP address. If the originating IP addresses are different, TLS connections will be used, with a significant reduction in throughput.
• For maximum connector throughput capacity, DTLS is required. Connections are downgraded to TLS if the originating IP addresses for the connections to Secure Access are different or UDP connections are blocked.
• Deploy connectors in the same data center, branch office, or security zone location as the private resources to which they will send traffic.
• Each connector in a connector group must be able to reach all of the private resources assigned to the connector group.
• All connectors must be able to reach the Secure Access cloud. For more information, see Connectivity Requirements.
• Connectors support only a single network interface.

Connectivity Requirements

• Ensure that Resource connectors can reach the Secure Access destinations. For more information, see Allow Resource Connector Traffic to Secure Access.
• Public-facing IP addresses are not needed.

Capacity Requirements

The number of connectors that you deploy within a connector group depends on the volume of traffic that you expect.

• Estimate the maximum expected volume of traffic to the resources in the data center, branch office, or security zone.
• When you add a connector group, Secure Access suggests a suitable number of connectors to deploy based on the estimated traffic volume you provide. The recommended number of connectors assumes the recommended instance type, 75% CPU usage, and DTLS connectivity, and includes a connector instance for redundancy.
• For connectors that have the recommend instance type, throughput using DTLS is 500 mbps fully loaded (400 at the recommended 75% load). Throughput using TLS is 250 mpbs. If your actual capacity is less than expected, see Troubleshoot Resource Connectors and Connector Groups.
• To determine the number of connectors needed for an existing connector group, see Determine the Number of Connectors Needed in a Connector Group.
• For redundancy, (for example, to avoid service interruptions during connector upgrades), you should deploy at least two connectors in each group.
• For the maximum number of connectors and connector groups per organization, see Limitations and Range Limits.
  • You can deploy up to the maximum number of connectors in a group for load balancing and scalability.
  • You can associate up to the maximum number of connector groups with any region.
  • If you require greater capacity, contact your Cisco representative.
• Your network must be able to support the traffic volume that you specify.

Manage Resource Connectors and Connector Groups < Requirements and Prerequisites for Resource Connectors and Connector Groups > Allow Resource Connector Traffic to Secure Access