Breakout and Breakout Profiles Overview
Site-to-site traffic between spoke sites of a tenant is sent (on overlay tunnels) directly from one site to another depending on the tenant topology or through the hub or enterprise hub. However, for Internet-bound or Software as a Service (SaaS) traffic, you can break out the traffic in different ways:
Local breakout—The traffic exits the VPN directly at the site and goes to the destination.
Backhaul or central breakout—The traffic exits the VPN at the provider hub or at the enterprise hub (if a enterprise hub is associated with the spoke site) and then goes to the destination.
Cloud breakout—The traffic is sent from the site to a designated cloud-based security platform instead of traffic being sent over an underlay.
From CSO Release 4.1.0 onwards, Zscaler is the only cloud-based security platform supported.
In CSO Release 4.0, only local breakout and central breakout (backhaul) are supported and the breakout option is enabled only at the site level. However, from CSO Release 4.1.0 onward, breakout is supported at the site, department, and application (cacheable only) levels by using breakout profiles that are applied using SD-WAN policy intents. Non-cacheable applications follow the site-specific or department-specific behavior as configured in the SD-WAN policy intent.
For sites added in CSO Release 4.1.0 onward, you cannot configure breakout directly at the site level and must use breakout profiles referenced in SD-WAN policy intents for this purpose.
The following three types of breakout profiles are supported in CSO:
Local breakout (underlay)
Backhaul (central breakout)
After you add a breakout profile, you must create an SD-WAN policy intent specifying the source (site, site group, or department) and application and the applicable breakout profile.
SD-WAN Policy Intents for Breakout
For SD-WAN policy intents configured at different source endpoints, the following is applicable:
Site—A policy intent configured at the site level applies to all the departments within the site. In addition, by default, the site-level configuration is also applicable to all applications because the default configuration for applications is Any.
Department—A policy intent configured at the department level (for tenants with network segmentation enabled) overrides the policy intent configured at the site level. Similar to the behavior for the site-level policy intent, by default, a department-level policy intent is also applicable to all applications because the default configuration for applications is Any.
Application (cacheable only)—A policy intent (at the application level) where you specify one or more cacheable applications overrides the policy intent specified at either the department level or the site level only for the specified applications.
Benefits of Breakout Profiles
Breakout profiles used in intent-based Internet breakout policies (through SD-WAN policy intents) give users granular control over the Internet breakout behavior for specific applications.