Once the CloudBlade configures the appropriate Standard objects within Prisma SD-WAN and Azure, the administrator can reference the path (Standard VPN) and service group (Azure) within application network policies. The ION devices will make intelligent per-app path selections using the network policies to chain multiple path options together in Active-Active and Active-Backup modes.

Example:

Application A: Take Standard VPN to Azure as the only path option.

Application B: Active Standard VPN to Azure; Backup Prisma SD-WAN VPN

Application C: Active Prisma SD-WAN VPN; Backup Standard VPN to Azure

The Prisma SD-WAN secure Application Fabric (AppFabric) enables granular controls for virtually unlimited number of policy permutations down to the sub-application level. Below is an example of how to configure a path policy rule to use the Standard VPN to Azure. For a more in-depth description of how to configure path policies, Standard groups, and domains, refer to the Prisma SD-WAN.

From Stacked Policies, select the Path tab, and choose a policy set of interest.Within the policy set, click add policy rule and define the following - Name, destination prefixes or apps of interest (or a combination of both apps and prefixes), active and backup paths, and service and DC group.

We will use a destination prefix-based rule in this example since we have already defined a path prefix representing all of our Azure subnets. Also, we will only use a Standard VPN path to the Standard Azure group. If the Standard VPN goes down, traffic destined to any of those prefixes will have no available paths. We could have specified alternate active or backup paths such as the Prisma SD-WAN VPN to the Data Center site(s).