Platform Architecture
SecureLink V2 is a multi-tenant SD-WAN management platform that orchestrates network configuration across distributed edge devices. This page describes the core components, how they communicate, and how data flows through the system.
Components
| Component | Role |
|---|---|
| VSM Web UI | React single-page application. Provides the management dashboard for all device types, configuration, monitoring, and user management. |
| VSM API | Node.js backend (Hono framework, Drizzle ORM). Serves the REST API, builds batch configurations, processes MQTT messages, and manages all persistent state. |
| MySQL | Primary datastore. Holds device inventory, configuration state, user accounts, tenant data, peering topologies, and feature flags. |
| EMQX (MQTT Broker) | Message broker for all communication between the orchestrator and edge devices. Uses mutual TLS (mTLS) for authentication after bootstrap. |
| Edge Agent | Go-based agent running on dedicated edge devices. Receives batch configuration over MQTT, applies it directly to VPP via the Binary API and CLI, and reports status back. Configuration state is persisted to a local SQLite database. |
| VPP | Vector Packet Processing — the high-performance data plane on edge devices. Handles routing, NAT, ACLs, WireGuard tunnels, and traffic monitoring. |
| MTGE Agent | Same codebase as the Edge Agent, running in multi-tenant mode (EDGE_MODE=mtge). Manages per-tenant VRF isolation, per-tenant MQTT topics, and shared VPP resources. |
| Connector Agent | Lightweight Go agent using Linux networking (no VPP). Handles WireGuard, static routes, NAT, and ACLs via standard kernel tools. |
| VictoriaMetrics | Time-series database for metrics. Receives edge telemetry (CPU, memory, interface stats, IPFIX flow data) and serves PromQL queries. |
| Loki | Log aggregation system. Collects container logs via Promtail and serves LogQL queries for the monitoring dashboard. |
| Grafana | Visualization layer. Queries VictoriaMetrics and Loki to render dashboards, charts, and alerts. |
| Keycloak | Identity provider (OAuth2/OIDC). Handles user authentication (credentials). Authorization is handled separately by the VSM API via session tokens. |
| Global VSA | Optional multi-orchestrator management plane. Controls feature flags per tenant, collects usage metrics, and generates billing reports. |
Communication Paths
The system has two primary communication directions:
Southbound (Orchestrator to Edge)
Configuration flows from the UI down to the network data plane:
- The administrator makes a change in the Web UI (e.g., adds a WireGuard peer)
- The UI sends a REST API call to the VSM API
- The API writes the desired state to MySQL and marks the edge configuration as "dirty"
- When a sync is triggered, the API builds a complete batch configuration message
- The batch is published to the edge's MQTT topic
- The edge agent receives it, applies changes directly to VPP via the Binary API and CLI, and persists state to SQLite
- The agent sends a confirmation back over MQTT
Northbound (Edge to Orchestrator)
Telemetry, status, and confirmations flow from the edge up to the orchestrator:
- Edge agents periodically send inform messages (every 60s) with VPP interface statistics
- Connectors send keepalive messages (every 30s)
- After applying configuration, agents send confirmation messages with the applied config hash
- Metrics are forwarded to VictoriaMetrics; logs flow to Loki via Promtail
- The API updates MySQL (last seen time, WAN IP, sync status) and the Web UI reflects the current state
Device Type Comparison
SecureLink supports three device types, each suited to different deployment scenarios:
| Capability | Dedicated Edge | MTGE (Shared Gateway) | Connector |
|---|---|---|---|
| Data plane | VPP (DPDK or AF_PACKET) | VPP (DPDK or AF_PACKET) | Linux kernel |
| Tenancy | Single tenant | Multi-tenant (VRF isolation) | Single tenant |
| WireGuard tunnels | wg0 (IoT), wg1 (Apps), wg2/wg3 (Peering) | Per-tenant wg0, wg1, wg2/wg3 | wg0 (hub connection), wg1 (E2E peering) |
| App VPN protocols | WireGuard or IKEv2 | Per-tenant WireGuard or IKEv2 | Not applicable |
| Routing | Static + BGP/BFD (Bird) | Per-tenant static + BGP/BFD | Static only |
| NAT | NAT44-EI via VPP | Per-tenant NAT44-EI | iptables masquerade |
| ACLs | VPP ACL plugin | Per-tenant VPP ACLs | iptables rules |
| Traffic inspection | Suricata (optional) | Per-tenant Suricata | Not available |
| IPFIX flows | Flowprobe + edge-side collection | Per-tenant flowprobe | Not available |
| Edge peering | Full mesh, hub-spoke, partial mesh | Can participate as peering member | Single tunnel (WireGuard or IPSec) |
| Config delivery | VSR/{serial}/batch | VSR/{serial}/batch/{tenantId} | VSR/{serial}/batch |
| State persistence | SQLite (/var/lib/edge-agent/state.db) | SQLite | Filesystem |
| Typical deployment | Customer site, data center | Co-location, shared facility | Branch office, cloud VPC |
Data Stores
| Store | Contents | Accessed By |
|---|---|---|
| MySQL | Device inventory, configuration state, user accounts, tenant data, peering topologies, feature flags, session tokens | VSM API (read/write) |
| SQLite (edge-local) | Configuration state (desired, actual, status, retry count), sync state, config audit log. The agent is the sole VPP controller — it reads and writes state directly. | Edge Agent |
| VictoriaMetrics | Time-series metrics — CPU, memory, interface counters, IPFIX flow aggregates, uptime | VSM API (query via PromQL), Grafana |
| Loki | Structured logs from Docker containers on the orchestrator and edge devices | VSM API (query via LogQL), Grafana |
Further Reading
- Config Sync Pipeline — How configuration changes flow from the UI to the edge data plane
- Security Architecture — Authentication, certificate provisioning, and multi-tenant isolation
- Observability Pipeline — Metrics, logs, flows, and alerting
- MQTT Topic Reference — Complete topic listing with payload formats