Hello   We have a WAN setup consisting of Circa 10 Spoke VPN sites with 2 VPN Hubs. All Meraki MX appliances have SD-WAN license. All sites are set break out locally to the internet and route via Hub VPNs for respective internal resources. We have a specific application with a fixed public IP range. Our goal is to ensure traffic sourced from any local subnet at any spoke site, destined to the specific application (Public Range) routes via the Hub VPNs, breaking out centrally (rather than local breakout of the specific site). This is due to Public IP address source restriction on the specific application So effectively default behavior for internet traffic for each spoke is to breakout locally, with the exception for the specific Public destination to backhaul for central breakout. I appreciate we can add each sites's local public range as a whitelist for the application, however some addresses are dynamic. There appears to be the ability to backhaul all traffic from spokes to hubs and setting exclusions, but not the reverse. https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2F%2FURL_Based_Local_Internet_Breakout) Thanks ... View more