Applying a Config Template
When you provision a new edge, the selected config template is applied automatically. This page explains what happens during template application and the order of operations.
When Templates Are Applied
Templates are applied during initial edge provisioning — when an edge is registered and associated with a template. The template is a one-time operation that creates the edge's initial configuration. After application, the edge's configuration is independent of the template (changing the template does not retroactively update previously provisioned edges).
Application Order
The template is applied in a specific order to respect dependencies between configuration sections:
| Step | Section | What Happens |
|---|---|---|
| 1 | Physical Ports | Hardware port configuration created (type, MTU, enabled state) |
| 2 | Logical Ports | Logical interfaces created with IP addressing, roles, and VRF assignment |
| 3 | Static Routes | Route entries created, referencing logical interfaces by name |
| 4 | SNAT Rules | Source NAT rules created, bound to outgoing logical interfaces |
| 5 | DNAT Rules | Port forwarding rules created with public/private IP:port mappings |
| 6 | DHCP Pools | DHCP pool entries created, linked to logical interfaces |
| 7 | IoT Gateway (wg0) | WireGuard keypair generated and encrypted, tunnel configured |
| 8 | App VPN (wg1) | App VPN server enabled (WireGuard keypair or IKEv2 certificates generated) |
| 9 | SSH Remote Access | Reverse tunnel port allocated, SSH tunnel provisioned |
| 10 | IPFIX / Flowprobe | Flow export configuration created |
BGP configuration (AS number and router ID) is stored as part of the template and used when E2E Peering tunnels are configured on the edge.
What Gets Generated
Several items are generated automatically during template application — they are not stored in the template itself:
WireGuard Keys (wg0)
An X25519 keypair is generated for the IoT gateway tunnel. The private key is encrypted with AES-256-GCM (PBKDF2 key derivation) before storage in the database. The public key is distributed to connecting peers.
App VPN Configuration (wg1)
- WireGuard protocol: A separate keypair is generated and encrypted
- IKEv2 protocol: X.509 certificates are generated via the platform's CA. The certificate bundle (CA cert, server cert, encrypted private key) is stored securely and distributed to the edge via batch configuration.
SSH Tunnel Port
A unique reverse tunnel port is allocated from the available pool. This port is used by the SSH bastion to reach the edge for remote management.
After Application
Once the template is applied:
- The edge's configuration is created in the database
- The configuration is marked as dirty (pending sync)
- On the next sync (manual or automatic), the full configuration is pushed to the edge as a batch
- The edge applies the configuration in dependency-ordered phases
- The edge confirms successful application with a configuration hash
You can view and modify the edge's configuration independently from the template via the Edge Detail > Configuration page.
Modifying After Application
Template application is a one-time operation. To change the edge's configuration after provisioning:
- Edit individual settings on the Edge Detail page
- Changes are tracked independently of the original template
- Use Sync Config to push updates to the edge
To provision another edge with the same configuration, apply the same template (or a modified copy) during its provisioning.