Managing Links (Partial Mesh)
Links represent encrypted tunnel connections between two member edges in a peering group. Each link creates a bidirectional tunnel between a pair of members, using either WireGuard or IPSec depending on the peering group's tunnel protocol.
Auto-Managed vs. Manual Links
How links are managed depends on the topology type:
| Topology | Link Management |
|---|---|
| Mesh | Fully automatic. Links are created and removed as members are added or removed. You do not need to manage links manually. |
| Hub-Spoke | Fully automatic. Each spoke is linked to the hub. Adding a spoke creates a link to the hub; removing a spoke removes it. |
| Partial Mesh | Manual. You control exactly which edges connect by adding and removing links individually. |
The rest of this page applies primarily to partial-mesh topologies. If you are using mesh or hub-spoke, links are handled for you automatically.
Adding a Link
- On the peering detail page, click Add Link.
- In the modal, select two member edges from the dropdowns.
- Click Add.
A bidirectional encrypted tunnel is created between the two selected edges. Both edges receive updated configurations immediately. For IPSec peerings, unique Security Association (SA) keys and SPIs are generated for each direction of the link.
If dual tunnel redundancy is enabled on the peering group, adding a link creates both a primary tunnel (wg2) and a secondary tunnel (wg3) between the two edges.
Removing a Link
Click the trash icon on a link row to remove it. This deletes the tunnel connection between the two edges.
- Both tunnel directions are removed (Edge A to Edge B and Edge B to Edge A).
- If dual tunnel is enabled, both the primary and secondary tunnels are removed.
- Configuration is pushed to both affected edges to clean up the tunnel.
Only the two edges involved in the link are affected. Other members and their links remain unchanged.
Links Table
The links table displays all connections in the peering group:
| Column | Description |
|---|---|
| Edge A | First edge in the link pair |
| Edge B | Second edge in the link pair |
| Status | Whether the tunnel is up or down. For IPSec peerings, shows SA: Established or SA: Down. |
| Tunnel Index | Primary (0) or Secondary (1) -- shown when dual tunnel is enabled |
| Actions | Remove link (partial-mesh only) |
Isolated Member Warning
If a member in a partial-mesh peering group has zero links, an informational banner is displayed warning that the member is not connected to any peers. An isolated member has a tunnel endpoint configured but no traffic will flow because there are no peer connections.
This typically means you either forgot to add links when adding the member, or all of the member's links have been removed.
Partial mesh is ideal when you need specific traffic flow patterns. For example:
- All branch offices connect to two regional datacenters, but branches do not connect to each other.
- A set of sites forms a regional cluster, connected to a central hub, but clusters do not interconnect directly.
- You need to add or remove specific connections without affecting the rest of the topology.
If you find yourself linking every member to every other member, consider switching to a mesh topology instead -- it handles this automatically.