Hi, Once you've connected a site to Secure Connect, you can configure which traffic to go direct to the Internet under Security & SD-WAN > SD-WAN & Traffic Shaping >Local Internet Breakout. Here you can define VPN Exclusion rules for which traffic to bypass going down the tunnel. With the SDWAN+ license, there is also an option to exclude traffic at the application level for a handful of popular well known applications.   As to your note on the hubs joining Secure Connect not receiving a default route by default, I believe when this was originally designed it was to help prevent customers from unknowingly having all their traffic sent through Secure Connect. Let's say you had a default security policy for HTTPS inspection in Umbrella but didn't have the cert deployed to all the endpoints connected to the hub: this could lead to an unpleasant experience for users trying to access HTTPS pages without the cert loaded. This configuration is definitely supported and I'd recommend reaching out to the Secure Connect support team (just use any support link from a Secure Connect page in the dashboard). I thought it was just a matter of ensuring that the Secure Connect hub was listed as a higher priority under Security & SD-WAN > Site-to-site VPN at the site in question.   The value of having the Internet traffic going through Secure Connect would be for additional security functionality like HTTPS inspection, tenant controls, DLP functionality, sandboxing, web app controls, etc. ... View more

I'm curious, how are you currently sending the traffic to Umbrella? I assume this is just DNS traffic? With this (https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_Cisco_Umbrella_with_Meraki_Networks) integration, you can selectively send traffic from specific SSIDs and have different policies (security, content, logging) for each SSID while still retaining visibility into the SSID/internal IP of each request. ... View more