MTGE Deployment
An MTGE (Multi-Tenant Gateway Edge) allows multiple tenants to share a single edge device with full network isolation. Each tenant receives its own VRF, WireGuard instances, and subnet allocations. MTGE devices support both DPDK and AF_PACKET modes.
Prerequisites
The hardware and software requirements are the same as a dedicated edge:
- DPDK mode: Intel NICs with SR-IOV, VT-d enabled, 4+ cores, 8+ GB RAM, 2+ NICs
- AF_PACKET mode: Any server or VM, 2+ cores, 4+ GB RAM, 2+ NICs
- Ubuntu 22.04+ or compatible Linux distribution
- Docker installed and running
- SSH access configured
See Choosing Your Device Type for guidance on selecting DPDK vs AF_PACKET mode.
Build and Deploy
DPDK Mode
./scripts/build-production-edge-image.sh --edge-mode mtge --deploy <MTGE_IP> --bootstrap
AF_PACKET Mode (VMs and Cloud)
./scripts/build-production-edge-image.sh \
--edge-mode mtge \
--mode afpacket \
--wan-interface ens33 \
--deploy <MTGE_IP>
The MTGE build uses the unified build script (build-production-edge-image.sh) with the --edge-mode mtge flag. It supports the same flags as dedicated edge builds:
| Flag | Description |
|---|---|
--deploy <IP> | Target MTGE IP address for SSH deployment |
--mode afpacket | Use AF_PACKET mode instead of DPDK |
--wan-interface <name> | WAN-facing interface name (required for AF_PACKET) |
--lan-interfaces <name> | LAN interface(s) (optional) |
--bootstrap | Run bootstrap after deployment |
--skip-build | Use a previously built image |
--overwrite-compose | Regenerate the compose file |
MTGE Bootstrap
The MTGE bootstrap process differs from the dedicated edge bootstrap. Instead of using a MAC address and deployment token, the MTGE identifies itself by serial number and connects to a specific orchestrator URL.
sudo edge-bootstrap setup \
--serial <SERIAL_NUMBER> \
--orchestrator-url <ORCHESTRATOR_URL>
| Parameter | Description | Where to find it |
|---|---|---|
--serial | The MTGE serial number assigned during registration | From the "Add MTGE" dialog in the Shared Gateways page |
--orchestrator-url | The orchestrator's API URL | Provided by your SecureLink administrator |
The CLI will prompt for the deployment password, which is generated when the MTGE is registered in the UI.
What happens during MTGE bootstrap
- The MTGE registers with the orchestrator using its serial number
- Certificate provisioning validates by serial number (not GUID)
- X.509 certificates are installed for MQTT authentication
- The MTGE agent containers start and connect to the orchestrator
MTGE uses the same VPP platform as dedicated edges. The same performance characteristics apply — DPDK provides 10 Gbps+ throughput while AF_PACKET provides 1–5 Gbps.
Post-Bootstrap Workflow
After the MTGE completes bootstrap, it goes through an approval workflow before it can serve tenants:
1. MTGE Appears in Pending State
The MTGE connects to the orchestrator and begins sending keepalive messages. In the SecureLink web UI, navigate to Shared Gateways. The device appears in the Pending tab.
2. Approve the MTGE
An administrator reviews the pending MTGE and approves it. Once approved, the MTGE moves to the active devices list and is ready for tenant assignment.
3. Assign Tenants
After approval, tenants can be assigned to the MTGE through the UI:
- Navigate to the MTGE detail page
- Open the Tenants tab
- Click Assign Tenant to add a tenant to the gateway
Each assigned tenant receives:
- Isolated VRF for network segmentation
- Dedicated WireGuard instances (wg0, wg1)
- Subnet allocations for the tenant's network
- Optional internet breakout (per-tenant toggle)
4. Configure Tenant Networks
Once a tenant is assigned, configure their network through the standard edge configuration interface. The orchestrator publishes per-tenant batch configs to VSR/{serialNumber}/batch/{tenantId}, and the MTGE agent applies them within the correct VRF context.
Verification
Check that the MTGE is running and VPP interfaces are active:
# DPDK mode
ssh edge@<MTGE_IP> "sudo docker exec vpp-agent vppctl show interface"
# Expect: G0, G1 (GigabitEthernet interfaces)
# AF_PACKET mode
ssh edge@<MTGE_IP> "sudo docker exec vpp-agent vppctl show interface"
# Expect: host-ens33, host-ens34 (host interfaces)
Check VRF tables (after tenants are assigned):
ssh edge@<MTGE_IP> "sudo docker exec vpp-agent vppctl show ip fib summary"
Troubleshooting
MTGE not appearing in Pending tab
- Verify the MTGE can reach the orchestrator URL
- Check MQTT connectivity:
sudo docker logs vpp-agent - Confirm the serial number matches what was registered in the UI
Tenant assignment fails
- Ensure the MTGE is in approved status (not pending)
- Check available VRF slots on the MTGE
Per-tenant config not applying
- Verify the tenant is assigned and active on the MTGE
- Check the MQTT topic: config is published to
VSR/{serial}/batch/{tenantId} - Review agent logs for per-tenant batch processing errors