Adding Members
Members are the edges that participate in a peering group. Each member gets a tunnel endpoint and exchanges encrypted traffic with its peers.
Adding a Member
- Navigate to the peering detail page by clicking on a peering group in the list.
- In the Members section, click Add Member.
- Fill in the fields in the modal and click Add.
Modal Fields
Edge
Select an edge from the dropdown. Only edges belonging to your tenant that are not already members of this peering group are shown.
Role
The role determines how the edge participates in the topology:
| Role | Used In | Description |
|---|---|---|
| Hub | Hub-Spoke | Central edge that peers with all spokes. Only one hub per group. |
| Spoke | Hub-Spoke | Connects only to the hub edge. |
| Mesh Peer | Mesh, Partial Mesh | Peers with other members according to topology rules. |
The available roles depend on the topology type of the peering group. For mesh and partial-mesh topologies, the only available role is mesh-peer. For hub-spoke, you assign either hub or spoke.
WAN Interface
Select which WAN port on the edge should be used for the primary tunnel. This is relevant for edges with multiple WAN connections, allowing you to control which uplink carries peering traffic.
Peer With (Partial Mesh Only)
For partial-mesh topologies, a set of checkboxes appears listing all existing members in the group. Select the members that this new edge should peer with. Links are created only to the selected members.
In mesh and hub-spoke topologies, this field does not appear because links are calculated automatically.
What Happens When You Add a Member
When you add a member, several things happen automatically:
- Tunnel keys are generated -- For WireGuard peerings, a Curve25519 public/private key pair is created. For IPSec peerings, AES-256-GCM Security Association (SA) keys and SPIs are generated for each link direction.
- Tunnel IP is allocated -- An IP address is assigned from the peering group's tunnel subnet.
- Links are calculated -- In mesh topology, links to all existing members are created. In hub-spoke, a link to the hub is created. In partial-mesh, links are created to the members you selected.
- Configuration is pushed -- The new member's edge receives its tunnel configuration via MQTT. All affected peer edges also receive updated configurations to include the new member.
Members Table
The members table on the peering detail page shows the following for each member:
| Column | Description |
|---|---|
| Edge Name | The name of the member edge |
| Role | Hub, Spoke, or Mesh Peer |
| Tunnel IP | The IP address allocated from the tunnel subnet |
| Status | Current tunnel status. For WireGuard peerings, shows the last handshake timestamp. For IPSec peerings, shows SA Active or SA Pending. |
| BGP State | BGP session state (if BGP is enabled) |
| BFD State | BFD session state (if BFD is enabled) |
| Actions | Remove member |
Removing a Member
To remove a member, click the Remove action on the member row. This:
- Removes all links involving this member
- Cleans up tunnel configuration on the removed edge
- Updates configuration on all remaining peers that were connected to this member
- Releases the tunnel IP back to the subnet pool
Adding or removing members on a live peering group causes configuration changes to be pushed to all affected edges. Existing tunnels between other members may briefly reconnect as they receive updated peer lists. Plan changes during a maintenance window if tunnel stability is critical.