USG FLEX 50H Auto VPN Limit (5 tunnels) – How to connect only selected sites in a 13-site Nebula net

issac

We are currently using the Nebula platform to manage many of our sites. Some of these sites are still running OPNsense firewalls. Our long-term plan is to migrate all non-Zyxel firewall devices to Zyxel devices. For this reason, we recently purchased additional Zyxel devices for our organization.

For smaller sites, we plan to deploy the USG FLEX 50H with the Gold Security Bundle.

At the moment, our VPN environment consists of 13 different locations connected via site-to-site VPN in Auto mode. All VPN connections are currently managed through the Nebula platform, although some of the sites are still using OPNsense devices.

The challenge we are facing is related to the VPN connection limit of the new USG FLEX 50H series. These devices support a maximum of 5 VPN connections. However, our current network includes 13 locations. When we configure Auto VPN, the device attempts to establish connections to all available sites one by one. In practice, this is not necessary for our network design.

In our case, it would be sufficient if certain sites could connect only to specific locations instead of establishing connections with every site in the network.

Therefore, we would like to ask the following questions:

1. Is it possible to add new USG FLEX 50H devices to our existing VPN environment without changing the current VPN topology?
2. Within the Auto VPN configuration, is it possible to control which sites connect to each other? In other words, instead of each device automatically creating VPN connections to all 13 locations, can we configure the USG FLEX 50H to establish VPN connections only with selected sites?

Ideally, we would like to integrate these new devices into our Nebula-managed network while limiting their VPN connections only to the required locations.

We would appreciate your guidance on whether this type of configuration is supported and what the recommended approach would be.