Creating a Peering
To create a new edge peering group, navigate to Network > Edge Peering and click the Create Peering button. A modal will appear with the following configuration fields.
Configuration Fields
Name
A descriptive name for the peering group. Choose something that reflects the purpose or geography of the peering, such as "US East Branch Mesh" or "HQ to Branches".
Topology
Select the topology that matches your network design:
- Mesh -- All members peer with all other members. Links are auto-calculated.
- Hub-Spoke -- One hub peers with all spokes. Spokes do not peer with each other.
- Partial Mesh -- You manually choose which members peer with each other.
Tunnel Protocol
Select the encryption protocol for this peering group:
- WireGuard (default) -- Lightweight, fast handshakes, low overhead. Best for most deployments.
- IPSec (AES-256-GCM) -- Industry-standard encryption with manual rekey controls. Choose when compliance requirements mandate IPSec or when integrating with IPSec-only networks.
The tunnel protocol applies to all members and links in the peering group. You cannot mix WireGuard and IPSec within the same group.
Rekey Interval (IPSec Only)
Only shown when tunnel protocol is IPSec.
The interval in hours between automatic Security Association (SA) rekeying. Rekeying generates new encryption keys for all links in the group, maintaining forward secrecy.
Default: 24 hours. Range: 1 to 8,760 hours (1 year).
Shorter intervals provide better forward secrecy but cause brief reconvergence. For most environments, the 24-hour default is appropriate.
Tunnel Subnet
The IP range used for tunnel addresses. Each member is allocated an IP from this subnet for the primary tunnel interface. Use a private range that does not overlap with your existing network.
Example: 10.100.0.0/24 provides up to 254 tunnel addresses.
Listen Port
The listen port for the primary tunnel. All members in the peering group use the same port.
Default: 51820
Ensure this port is allowed through any firewalls between your edge sites. WireGuard uses UDP. IPSec uses UDP encapsulation on the same port.
Redundancy Mode
Controls how many tunnels are created between each pair of members:
| Mode | Description |
|---|---|
| Single | One tunnel per member pair. No redundancy. |
| Active-Standby | Two tunnels per pair. Primary carries traffic; secondary takes over on failure. |
| Active-Active | Two tunnels per pair. Traffic is load-balanced across both. |
Secondary Tunnel Subnet
Only shown when redundancy mode is Active-Standby or Active-Active.
The IP range for the secondary tunnel interface (wg3). Must be a different subnet from the primary tunnel subnet.
Example: If your primary subnet is 10.100.0.0/24, use 10.100.1.0/24 for the secondary.
Secondary Listen Port
Only shown when redundancy mode is Active-Standby or Active-Active.
The listen port for the secondary tunnel. Must be different from the primary listen port.
Enable BGP
Toggle to enable BGP (Border Gateway Protocol) dynamic routing between peers. When enabled, edges automatically exchange routes so that subnets behind one edge are reachable from other edges in the peering group.
Enable BGP unless you plan to manage static routes manually. It simplifies route management significantly, especially as your network grows.
Enable BFD
Toggle to enable BFD (Bidirectional Forwarding Detection) for fast failure detection. BFD monitors tunnel health with sub-second intervals and triggers BGP failover much faster than BGP timers alone.
Recommended when BGP is enabled, and strongly recommended for dual tunnel configurations.
After Creation
Once you click Create, the peering group is created but has no members yet. The next step is to add member edges to the group. See Adding Members for details.
If you are unsure, start with Hub-Spoke. It is the simplest topology to manage: pick one central edge as the hub, add your other edges as spokes, and links are handled automatically. You can always create a new peering group with a different topology later if your needs change.
Choose WireGuard unless you have a specific requirement for IPSec. WireGuard has lower overhead, faster handshakes, and simpler key management. Choose IPSec if your organization's security policy mandates it, if you need AES-256-GCM encryption specifically, or if you need explicit control over rekeying intervals.