Configuring DIA

  • Published on May 20, 2025
  • 7 minute(s) read
  • K
  • KD
 Prev Next

What is DIA?

Traditional WAN deployments, especially deployments using MPLS send all branch traffic to a DC before sending it over the internet to its destination.  This approach can be costly when using SaaS applications such as O365, Salesforce, zoom, since all this traffic from al network branches needs to be sent to the DC first before going out over the internet.  Direct Internet Access (DIA) is a solution that allows you to send chosen SaaS/application traffic directly on to the internet, from the branch, without needing to backhaul it to the DC.  This reduces the bandwidth capacity at the DC while improving latency for the internet bound applications.

The Graphiant Edge supports Direct Internet Access using two different modes:

  • Traffic policies

  • Static routes

Step 1: DIA Setup Recommendation

The recommended approach for setting up DIA is to use a static default route, and then use traffic policies to match specific applications and send them over the Graphiant network.  This is due to corner cases with DPI first packet classification.  When performing application classification, using DPI, the Graphiant Edge uses DNS requests to perform first packet classification.  This first packet classification can fail if DNS requests are encrypted (DNSSEC), which in turn causes the traffic policy match to fail. Using a default static route in conjunction with traffic policies allow you to avoid issues due to these corner cases.

Configuring DIA in the Graphiant Portal

From the Home screen, navigate to the Edge Configuration screen by one of the following:

  • Locate the "Configurations" section within the top left of the screen;  select 'Configure Edges'.

or

  • Click 'Configure' in the sidebar;  select 'Edge Devices'.

This will take you to the ‘Configuration’ page of the Graphiant Portal where you can view all active, staged, and deactivated Edges. From here you will be able to select among the active Edges which Edge(s) you would like to configure.

On the right hand side, select and click ‘Configure’ in tandem with the Edge you wish to manage.

This will take you onto a Configuration page with a focus on the Edge you have just chosen.

Here you will see a list of headers along the lefthand side of the page, such as ‘Configure Network’, ‘Configure Services’, ‘Configure Policies’, etc.

From here, select and click ‘Configure Network’, and from the dropdown menu select and click ‘WAN Circuits’.

On the 'WAN Circuits' page, you will see the list of all existing WAN circuits.

Select the WAN circuit on which you would like to enable DIA and then toggle DIA to ‘On’.

Now you're ready to select which apps/traffic should use DIA.

Option 1: Configuring DIA Using Policy

Sending traffic via DIA can be achieved by using traffic policies.  Once you've set up at least one WAN circuit to support DIA (using the approach mentioned above) you can define a traffic policy to match traffic and send it via DIA instead of using the Graphiant Core.

From the left navigation menu, select and click ‘Configure Policies’ and from the dropdown menu select and click ‘Traffic’.

On the 'Traffic Policy' page click ‘Add Rule Set’.

To add a Rule to the Rule Set, select and click the (+) icon.

Configure the ruleset to match the flow or application you want;  for details on how to configure rules in a traffic policy take a look at 'Configuring Traffic Policies'

DIA for Specific Apps:

After configuring the match criteria, switch to the 'Action' tab.

In this tab, switch DIA to ‘On’.

Choose the WAN circuit you want to use for DIA in the 'Preferred Primary Circuit' dropdown.

Note:

Using a default static route with traffic policies to send specific applications over the Graphiant network is the recommended setup for DIA.

For additional details please look at the DIA setup recommendation section.

After setting the 'Preferred Primary Circuit' you can optionally set the 'Preferred Backup Circuit'.  The backup circuit will be used in case the primary circuit is unavailable.

Next, click 'Add Rule'.

Apply the Rule Set to the relevant LAN segment by clicking 'Apply to LAN segments'.

Select the desired LAN Segment to which the Rule will be applied.

Once you review and apply these changes (as described in Step 2), the chosen flow/ application will start using DIA, on this Edge.

Matching O365 for DIA

Microsoft O365 is a special use case, and requires matching multiple underlying applications for all the capabilities to work.  

Note:

In order to match O365 using a traffic policy you will need to configure the policy to match both Office 365 and Microsoft Services.

To add a Rule to the Rule Set, select and click the (+) plus icon on the right hand side of the page within the lower section.  

     

A pop-up window will appear containing four headings: ‘General’, ‘Match Source & Dest’, Match Application’, and ‘Action’.

In the General section add a Rule Name and, if desired, a Description.

Switch over to theMatch Application’ tab.

Select ‘Office 365’.

Switch to the Action tab.

Set the Preferred Primary Circuit.

After setting the 'Preferred Primary Circuit' you can optionally set the 'Preferred Backup Circuit'. The backup circuit will be used in case the primary circuit is unavailable.

Next, click 'Add Rule'.

The Rule will now be seen in the list.

Select and click the (+) plus icon again to add the next application.

Traffic policy rule set details with options to apply and manage rules effectively.

Under Rule Details, select ‘Match MS Services’ from the dropdown.

Switch over to the Match Application tab, and select Microsoft Services.

Switch to the “Action” tab and set the Preferred Primary Circuit.

After setting the 'Preferred Primary Circuit' you can optionally set the 'Preferred Backup Circuit'. The backup circuit will be used in case the primary circuit is unavailable.

Next, click 'Add Rule'.

Both Microsoft Rules are now seen in the Rules list.

Once you review and apply these changes (as described in Step 2), Office 365 will start using DIA, on this Edge.

DIA for All Apps:

Configuring DIA for all apps, using a traffic policy, is a straight forward process.

You will need to add a new rule to the ruleset, then:

  • Switch to the 'Match Source & Dest' tab and set the 'Prefix Destination' to "0.0.0.0/0".

Note:

Using a default static route with traffic policies to send specific applications over the Graphiant network is the recommended setup for DIA.

For additional details please look at the DIA setup recommendation section

After configuring the match criteria, switch to the 'Action' tab.

Switch DIA to On.

Choose the WAN circuit you want to use for DIA in the 'Preferred Primary Circuit' dropdown.

After setting the 'Preferred Primary Circuit' you can optionally set the 'Preferred Backup Circuit'. The backup circuit will be used in case the primary circuit is unavailable.

Next, click 'Add Rule'

Next, apply the Rule Set to the relevant LAN segment by clicking 'Apply to LAN segments'.

Select the LAN Segment to which the Rules are applied.

Once you review and apply these changes (as described in Step 2), the all flows/ applications will start using DIA, on this Edge

Option 2: Configuring DIA Using Static Routes

The other way to configure traffic to use DIA is by using static routes. This approach works well for traffic where the destination IP addresses are well known.

Note:

Please use traffic policies for DIA if you're setting it up for an application.

From the left navigation menu, select and click ‘Configure Services’, and from the dropdown menu select and click ‘Routing Protocols & Filters’.

DIA for Specific Routes:

On the 'Routing Protocols & Filters’ page, under the 'Static' tab:

  • Choose the relevant LAN segment from the left hand menu.

  • Then add a new static route using the '+' button on the right .  

    • The new static route will be below any existing static routes.

Note:

Using a default static route with traffic policies to send specific applications over the Graphiant network is the recommended setup for DIA. For additional details please look at the DIA setup recommendation section

Enter the 'Subnet' for the static route, and then choose the DIA WAN circuit as the 'Interface'.

Click 'Save'.

Once you review and apply these changes (as described in Step 2), the traffic destined for the chosen subnet will start using DIA, on this Edge.

DIA for All Traffic:

DIA for all traffic using static routes can be achieved by setting up an appropriate default route.

Note:

Using a default static route with traffic policies to send specific applications over the Graphiant network is the recommended setup for DIA. For additional details please look at the DIA setup recommendation section

On the “Routing Protocols & Filters” page, under the 'Static' tab:

  • Choose the relevant LAN segment from the left hand menu.

  • Then add a new static route using the '+' button on the right.

    • The new static route will be below any existing static routes.

Enter "0.0.0.0/0" as the 'Subnet' for the static route.

Then choose the DIA WAN circuit as the 'Interface'.

Click 'Save'

Once you review and apply these changes (as described in Step 2), the traffic destined for the chosen subnet will start using DIA, on this Edge.

Step 2: Review & Apply

Once the above fields are filled in, DIA will be ready to use, however you will first need to review and approve all changes made.

On the top right hand corner, choose from the following options:

  • Discard’ to discard changes made.

  • Save as Draft’ to save changes made to be implemented at a later time.

  • Review’ to review and apply changes made for immediate deployment.

Related articles