Intelligent Routing
How Banyan automatically selects the appropriate mechanism to securely connect a user to the resource they need to access
Unlike traditional networking tools that require complex and often incompatible configurations such as VPN profiles, segmentation rules, PAC files, etc to route and inspect traffic, Banyan only requires administrators to specify services and policies for their workforce. Banyan then automatically selects the appropriate mechanism to securely connect a user to the resource they need to access and to enforce the requisite security policies.

Routing Framework
Banyan’s routing framework is applied at different layers of the networking stack:
- DNS Resolution - how a domain is resolved on the device
- Network-layer Steering - whether a packet is steered over a tunnel or the internet
- Application-layer Proxying - whether a request should terminate TLS and be proxied or not
- Application Authentication - how the resource identifies the user accessing it
DNS Resolution
DNS determines how a domain name is resolved to an IP address, and is configured as follows with Banyan:
- Private domains are resolved at internal DNS servers, typically over a service tunnel
- Published services use Service Domain Names that resolve via public DNS servers to your organization’s Banyan Edge
- If Internet Threat Protection is enabled, domains are inspected via Banyan’s DNS filtering capability and threats are blocked
- If Internet Threat Protection is not enabled, domains are resolved at the DNS server specified by the device’s network
Additional reading:
- DNS and routing when securing private resources such as internal websites and infrastructure servers.
- DNS and routing when securing networks utilizing Banyan’s service tunnel capability.
Network-layer Steering
Banyan makes a decision on whether to route a packet over a tunnel or directly to the internet:
- Private network traffic flows over a service tunnel
- Specified tunnel domains & CIDRs also flow over a service tunnel
- If Internet Threat Protection is enabled, URLs are inspected on device via Banyan’s URL filtering capability and threats are blocked
- Published services utilize TLS encryption and are routed over the public internet to your organization’s Banyan Edge
- All other traffic flows over the public internet to its destination
Additional reading:
- Routing public domains over a tunnel for IP whitelisting
Application Proxy
The Banyan Edge provides an identity-aware proxy that enforces application-layer policies.
- Published services are proxied through the Banyan Edge; the Edge terminates TLS and forwards requests to the backend
- If application-layer policies are specified, L7 requests and responses are examined and policies are enforced
Additional reading:
- Applying API-level policies for hosted websites
Application Authentication
Banyan issues short-lived cryptographic credentials - SAML and OIDC tokens, X.509 and SSH certificates - that can be used for application authentication.
- SaaS application can use Banyan’s IDP federation to authenticate users
- Infrastructure resources (SSH server, K8s API) can use Banyan’s tokens and certificates for authentication and authorization
- If policies are specified, Banyan can enforce user- and device-based controls
Other Scenarios
A few other scenarios that Banyan supports that are not explicitly called out in the framework above are noted here:
1. Clientless access
Users without a Banyan client cannot set up service-tunnel-based connectivity. In this scenario, you can use Banyan’s published services capability. Published services in Banyan resolve via public DNS servers and are proxied through the Banyan Edge, which terminates TLS using trusted Let’s Encrypt certificates and enforces application-layer policies.
2. Co-existing with traditional L3 VPN
Banyan can operate seamlessly atop an existing L3 VPN. Typically, traffic to published services flows over the public internet. However, you can configure Private DNS Override for a given published service so traffic will flow over your L3 VPN tunnel instead of the public internet.
3. Co-existing with on-premise Web Proxy
Banyan can operate seamlessly in secure networks that require all web traffic to be inspected by a web proxy. The Banyan App and Banyan Access Tier both respect the OS’s http_connect
proxy setting, and so can communicate with the Banyan Cloud Command Center.
What’s next
Read more about how zero-trust policies work in Banyan.