• When using the Cloud Security Service (CSS) or Non SD-WAN Destination (NSD) via Edge feature on a VMware SD-WAN Edge, tunnels are formed between the Edge's eligible links and the NSD.
• This allows the Edge to have an Active/Active connection to the NSD using its available interfaces. The Edge is then able to provide flow-based load balancing.

The CSS and NSD via Edge WAN link path selection workflow:

The way the Edge determines if a link is eligible for a Non SD-WAN Destination (NSD) tunnel is as follows:

1. Skip link if this is NSD traffic and the NSD is down.
2. Skip this link if the interface is down.
3. Skip this link if it is Private.  Note: this is because CSS traffic is direct to the cloud traffic and thus cannot use private links.
4. Skip this link if it is unstable.
5. Skip this link if it is a hot standby.
6. Skip this link if the QoE is yellow or red. Note: This refers to the QoE link quality graph found on Monitor > Edge > QoE tab.
7. Skip this link if the Business Policy indicates a different Transport Group.  Note: for example, if a business policy specifies that CSS traffic only use the public wired link group and the WAN link being checked is a public wireless link, then that link would be skipped. 

If the listed criteria are all satisfied and the WAN link is marked as eligible, the Edge will pick the WAN link with the most available downstream bandwidth and use it to form the tunnel and send data.

If no WAN link satisfies the listed criteria, the Edge would relax the QoE criteria in step 6 and select the link with best QoE available, even if that QoE is yellow or even red.

CSS and NSD via Edge pre-shared key (PSK) usage behavior when there are multiple eligible WAN links: 

When the Edge has multiple eligible WAN links it will try to establish tunnels to an NSD on all WAN links. 
The Edge will always create tunnels based on the number of configured PSK, using one PSK per tunnel. PSK will also be used on a per-segment basis.

1. If the amount of WAN links number is higher than the number of PSK configured, then the number of tunnels created will only be that of the configured PSK. 
2. If the amount of WAN links and PSK configured is the same, each link will use one PSK to create a tunnel. There is no specific PSK to specific WAN link mapping.
3. If the amount of WAN links is less than the PSK configured, each link will use one PSK to create a tunnel and the remaining PSKs will remain in the device but will not be used.