Skip to main content

Feature Control

Feature control allows SuperAdmins to manage which capabilities are available for each tenant. This enables gradual rollouts, per-tenant customization, and compliance with licensing agreements.

Accessing Feature Toggles

  1. Navigate to the Tenants list in the Global VSA sidebar.
  2. Click a tenant name to open the tenant detail page.
  3. Locate the Feature Toggles card on the detail page.

Available Feature Toggles

Two features can be controlled per tenant:

Suricata IDS/IPS

Toggle switch to enable or disable intrusion detection and prevention for this tenant. When enabled, edge batch configurations include Suricata-related sections. When disabled, those sections are excluded from the batch config and the orchestrator frontend displays a "Feature Disabled" banner on the Suricata page.

WireGuard IoT Gateway

Toggle switch to enable or disable the IoT gateway functionality for this tenant. When enabled, IoT-related WireGuard configuration is included in edge batch configs. When disabled, the configuration is excluded and a "Feature Disabled" banner is shown in the orchestrator frontend.

Toggle switches appear indigo when enabled and gray when disabled.

How Feature Sync Works

Feature flag changes propagate through the system in a defined sequence:

  1. SuperAdmin toggles a feature in the Global VSA tenant detail page.
  2. The orchestrator polls Global VSA every 5 minutes for feature flag updates.
  3. On the next sync, the orchestrator updates its local tenant_feature_flags table.
  4. Affected edge batch configs exclude sections for disabled features on the next config publish.
  5. The orchestrator frontend shows a "Feature Disabled" banner for any disabled features.
info

Feature changes are not instant -- they propagate on the next orchestrator sync cycle, which occurs every 5 minutes. Plan accordingly when making time-sensitive changes.

Default Behavior

When no feature flag row exists for a tenant, features are enabled by default. This ensures backward compatibility: existing tenants that were operational before Global VSA was deployed continue to function without requiring manual feature enablement.

Only explicitly disabled features (toggle set to off) will restrict functionality.

Best Practices

tip

Use feature toggles for gradual rollouts. Enable Suricata for a test tenant first, verify it works correctly, then enable it for all remaining tenants.

  • Test before broad rollout: Enable a new feature for a single tenant, monitor for issues, then enable for others.
  • Communicate before disabling: If you plan to disable a feature for an active tenant, coordinate with the tenant administrator to avoid unexpected disruptions.
  • Review feature adoption: Use the Dashboard metrics cards (Suricata Active, WG IoT Active) to track how many tenants have each feature enabled.