The Analytics Data Export and Operator Remote Access networks are set up as hub-and-spoke. One network type is chosen over the other to understand the required traffic flow.

In both cases, Client software on a Device or User must access resources behind a Client Connector. Before deploying any network, ensure you understand the flow you are trying to accommodate. A mesh network could inadvertently provide too much access. It could be as easily defined as creating two hub-and-spoke networks and inverting the sources and destinations on the second one.

1. The network is where all the components come together. Here you can see the Source is the Operators group, and the destination is the Factory VNC Connectors group. And the rule VNC Only is applied. As John Doe attempts to establish a VNC connection to a remote device, the fabric will be consulted to see if the traffic is allowed. If the access attempt conforms to this network, a tunnel will be established, and John can perform his task.
2. The second network is for the Device running the SD-WAN Client software that must export data to an analytics engine hosted in the cloud. Like the previous network, the group Analytics Exporters is the Source, and the Cloud Analytics Connectors is the Destination group. Only FTP traffic will be permitted, preventing the Device from having more access than it should to the cloud resources.