While creating or updating a Business Policy rule and action, you can set the Network Service to Direct, Multi-Path, and Internet Backhaul.


Sends the traffic out of the WAN circuit directly to the destination, bypassing the SD-WAN Gateway. NAT is applied to the traffic if the NAT Direct Traffic checkbox is enabled on the Interface Settings under the Device tab. When you configure NAT Direct, consider the following limitations.
  • NAT must hit traffic in edge routing table with Next Hop as either Cloud VPN or Cloud Gateway.
  • NAT works for traffic to public IP addresses only, even if Business Policy allows to configure private IP addresses as destination.


Sends the traffic from one SD-WAN Edge to another SD-WAN Edge, and from a SD-WAN Edge to a SD-WAN Gateway.

Internet Backhaul

While configuring the business policy rule match criteria, if you define the Destination as Internet, then the Internet Backhaul network service will be enabled.
Note: The Internet Backhaul Network Service will only apply to Internet traffic (WAN traffic destined to network prefixes that do not match a known local route or VPN route).
When the Internet Backhaul is selected, you need to select one of the following:
  • Backhaul Hubs
  • Non SD-WAN Destinations via Gateway
  • Non SD-WAN Destinations via Edge/Cloud Security Service
You should be able to configure multiple VMware SD-WAN Sites for backhaul to support the redundancy that is inherently built into the Non VMware SD-WAN Site connection, but keep a consistent behavior of service unavailability leading to traffic being dropped.

If Conditional Backhaul is enabled at the profile level, by default it will apply for all Business Policies configured for that profile. You can disable conditional backhaul for selected policies to exclude selected traffic (Direct and Multi-Path) from this behavior by selecting the Disable Conditional Backhaul checkbox in the Action area of the Configure Rule screen for the selected business policy. For more information, see Conditional Backhaul.