Every new VMware Cloud on AWS SDDC includes a default Tier-1 gateway named the Compute Gateway (CGW). You can create and configure additional custom Tier-1 gateways if you need them. Each Tier-1 gateway sits between the SDDC Tier-0 gateway and an arbitrary number of compute network segments.

Additional Tier-1 gateways provide a way for an SDDC network administrator to dedicate workload network capacity to specific projects, tenants, or other units of administration within a VMware Cloud on AWS organization.

For more information about SDDC network configurations that include custom Tier-1 gateways, read the VMware Cloud Tech Zone Designlet VMware Cloud on AWS Static Routing on Multiple CGWs (T1s).


  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. Click Tier-1 Gateways > ADD TIER-1 GATEWAY, then give the new gateway a Name and optional Description.
  5. Specify the gateway Type.
    Type Traffic Pattern
    Routed Segment traffic is routed through the new gateway.
    Isolated Segment traffic cannot traverse the new gateway. Local segments can connect with each other. Segments are not added to the routing table.​
    NATted Segment traffic cannot traverse the new gateway until you create NAT rules for it (see Create or Modify NAT Rules). Local segments can connect with each other. Segments are not added to the routing table.​
  6. (Optional) Tag the new gateway.

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

  7. Click SAVE to create or configure the custom Tier-1 gateway.
  8. (Optional) Add a Compute Gateway firewall rule if you have configured DNS services for the custom Tier-1 gateway and want connected workloads to use them.

    You can skip this step if you want workloads attached to the custom Tier-1 gateway to use the default Compute Gateway DNS forwarder.

    Unlike the Compute Gateway, custom Tier-1 gateways do not have a default firewall rule that allows DNS access from connected workloads. You need a rule like this one only if you have created a DNS service for the gateway and want workloads attached to the gateway to use it instead of the default Compute Gateway DNS forwarder.

    Name Sources Destinations Services Applied To Action
    Gateway DNS Forwarder DNS Service IPshown on the DNS Services tab Any DNS-UDP Whatever interface advertises the SDDC network's default route. Typically one of:
    • Internet Interface
    • Intranet Interface
    • VPN Tunnel Interface
  9. (Optional) Configure DHCP services for the gateway.

    You can skip this step if you don't need to enable DHCP address assignment for workloads on the custom Tier-1 gateway.

    Click Set DHCP Configuration to open the DHCP Configuration page. The default DHCP configuration Type for a new gateway is No Dynamic IP Address Allocation. In this configuration, the gateway does not provide DHCP services. If you want the gateway to provide DHCP services, choose a Type of DHCP Server and specify a DHCP Server Profile. You can create a new profile or use an existing one. See Configure Segment DHCP Properties.

  10. (Optional) Configure traffic QoS for the gateway.

    You can skip this step if you don’t need to retrieve QoS statistics for traffic that goes through this custom Tier-1 gateway.

    Click Additional Settings, then select an Ingress QoS Profile and an Egress QoS Profile for traffic limitations. These profiles are used to set information rate and burst size for permitted traffic. See Add a Gateway QoS Profile for more information on creating QoS profiles.VMware Cloud on AWS does not support IPv6, so the ND Profile and DAD Profile options do not apply.

  11. (Optional) Configure static routes for the gateway.

    This option is not available in the VMware Cloud Console Networking & Security tab.

    You can configure a non-default route for any type of custom Tier-1 gateway. A static default route ( can be configured only for an Isolated gateway. On the NSX Manager Networking tab, click Tier-1 Gateways. When you create or edit a Tier-1 gateway, click STATIC ROUTES to create or modify static routes and next hops for the gateway.

  12. (Optional) Create route aggregations if you want the new gateway to be accessible from the Connected VPC or within an SDDC group. (Does not apply to Isolated gateways.)
    Networks connected to a routed or NATted custom Tier-1 gateway won't be reachable from the Connected VPC unless you define a route aggregation that includes the NATted or routed IPs for the custom T1 networks in its Aggregation Prefix List and apply that aggregation to the SERVICES connectivity endpoint.
    Note: A route aggregation for a NATted T1 must use the translated (SNAT) IP.
    In addition, if this SDDC is a member of an SDDC group, you should define a similar route aggregation and apply that aggregation to the INTRANET connectivity endpoint. Route aggregations require Managed Prefix mode and cannot be used with the default configuration for the connected VPC. See Aggregate and Filter Routes to Uplinks.