Citrix SD-WAN

Inter-routing domain service

Citrix SD-WAN allows you to segment the network using Routing Domains, ensuring high security and easy management. With the use of the Routing Domain the traffic is isolated from each other in the overlay network. Each routing domain maintains its own routing table. For more information on Routing Domain, see Routing Domain.

However, sometimes we need to route the traffic between the Routing domains. For example if shared services such as printer, scanner, and mail server are provisioned as a separate Routing Domain. Inter-routing domain is required to enable users from different routing domains to access the shared services.

Citrix SD-WAN provides Static Inter-Routing Domain Service, enabling route leaking between Routing Domains within a site or between different sites. This eliminates the need for an edge router to handle route leaking. The Inter-routing domain service can further be used to set up routes, firewall policies, and NAT rules.

A new Firewall Zone, Inter_Routing_Domain_Zone is created by default and serves as the firewall zone for the Inter-Routing Domain Services for routing and filtering.


Citrix SD-WAN PE appliances do not perform WAN optimization functionality on Inter-Routing Domain packets.

To configure Inter-routing Domain Service between two routing domains.

Consider an SD-WAN network with an MCN and 2 or more branches with at least two Routing Domains configured globally. By default, all the routing domains are enabled on the MCN. Selectively enable the required routing domains on the other sites. For information on configuring Routing Domain see, Configure Routing Domain.

  1. In the SD-WAN Configuration Editor, navigate to Connections > Select Site > Inter-Routing Domain Service.

  2. Click + and enter values for the following parameters:

  • Name: The name of the Inter-Routing Domain Service.
  • Routing Domain 1: The first Routing Domain of the pair.
  • Routing Domain 2: The second Routing Domain of the pair.
  • Firewall Zone: The Firewall Zone of the Service.
    • Default: The Inter_Routing_Domain_Zone firewall zone is assigned.
    • None: No zone is selected and the original zone of the packet is retained.
    • All Zones configured in the network might be selected.

    Configure inter-routing domain service

  1. Click Apply to create the Inter-routing domain service. The created service can be used to create routes, firewall policies, and NAT policies.


You cannot configure an Inter-routing domain service, using routing domains that are not enabled on a site.

To create routes using the Inter-routing domain service, create a route with the Service type as Inter-Routing Domain Service and select the inter-routing domain service. For more information on configuring Routes, see How to Configure Routes.

Configure route using inter-routing domain service

Also add a route from the other Routing Domain pair, to establish connection to and fro between the two routing domains.

You can also configure firewall policies to control the flow of traffic between routing domains. In the firewall policies, select Inter-Routing domain service for the source and destination services and select the required firewall action. For information on configuring Firewall Policies, see Policies.

Configure policies using inter-routing domain service

You can also choose Intranet service type to configure Static and Dynamic NAT policies. For more information on configuring NAT policies, see Network Address Translation.

Configure NAT using inter-routing domain service


You can view monitoring statistics for connections that use inter-routing-domain services under Monitoring > Firewall Statistics > Connections.

Monitoring inter-routing domain

Use Case: Sharing resources across Routing Domains

Let us consider a scenario, in which users in different routing domains need to access common assets, such a printer or network storage. There are 3 routing domains at a branch RD1, RD2, and Shared RD as shown in the figure.

Shared resources across routing domains

To enable users in RD1 and RD2 to access resources in Shared RD:

  1. Create an Inter-Routing Domain service between RD1 and Shared RD, for example Inter RD1.
  2. Create an Inter-Routing Domain service between RD2 and Shared RD, for example Inter RD2.

    Shared RD

  3. Configure a static route to Shared RD from RD1 and RD2. In RD1, add a route to InterRD1.

    Add route in RD1

  4. In RD2, add a route to InterRD2.

    Add route in RD2

  5. Add a Dynamic NAT rule to InterRD1 using a VIP in shared RD. Enable Bind Responder Route to ensure that the reverse route uses the same service type.

    Dynamic NAT for RD1

  6. Add a Dynamic NAT rule to InterRD2 using a VIP in shared RD, for example Enable Bind Responder Route to ensure that the reverse route uses the same service type.

    Dynamic NAT for RD2

  7. Use filters to limit what resources in Shared RD are allowed to be accessed by users in RD1/RD2.

Inter-routing domain service