WAN Edge Role Model¶

This standard defines the default role split for HybridOps WAN connectivity so the platform does not drift into mixed edge patterns.

Default role split¶

On-prem routed edge: VyOS on Proxmox
Hetzner routed edge: VyOS when Hetzner participates as a routed edge
Hetzner shared control plane: Linux service host for runners, PowerDNS primary, decision service, and related shared services
GCP cloud-side routing: Cloud Router + HA VPN + NCC hub
Azure cloud-side routing: Azure VPN Gateway / cloud-native routing components

Shared control-plane services MUST NOT run on the routed edge appliances by default.
platform/network/wan-edge remains only as a deprecated Linux strongSwan/FRR compatibility path.
New routed-edge product work MUST use the VyOS path instead.
CSR1000v MAY be used for interoperability and lab validation, but MUST NOT be the default shipped edge path.
pfSense/OPNsense MAY be used later as firewall variants, but MUST NOT replace VyOS as the default routed-edge standard.

GCP is the primary cloud routing hub via Cloud Router and NCC.
On-prem and Azure are routed spokes in the target-state hybrid topology.
Hetzner shared control-plane services sit adjacent to the routing fabric, not inside the GCP NCC control plane.
Hetzner routed edge peers to the cloud hub through the same network routing contract and policy boundaries.

The default implementation path SHOULD introduce VyOS-specific module and blueprint contracts.
Generic Proxmox VM lifecycle MUST remain centralized in platform/onprem/platform-vm; VyOS must layer on top of it rather than replacing it.
Shared control-plane bootstrap SHOULD continue to use Linux-host modules and blueprints.