Specify local (SDDC) and remote (on-premises) IP addresses to create the SDDC end of the Layer 2 VPN tunnel.


This topic explains how to create a Layer 2 VPN that connects to the SDDC's default public or private IP. If you have an SDDC with additional Tier-1 gateways (see Add a Tier-1 Gateway) you can click OPEN NSX MANAGER and add VPN services that terminate on those gateways. See Adding VPN Servicesin the NSX Data Center Administration Guide.

VMware Cloud on AWS supports a single Layer 2 VPN tunnel between your on-premises installation and your SDDC.


  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page.
    You can also use the VMC Console Networking & Security tab for this workflow. See SDDC Network Administration with NSX Manager.
  4. Click VPN > Layer 2.
  5. Click ADD VPN TUNNEL.
  6. Configure the VPN parameters.
    Option Description
    Local IP Address
    Remote Public IP Enter the remote public IP address of your on-premise L2VPN gateway. For an L2VPN, this is always the standalone NSX Edge appliance (see Install and Configure the On-Premises NSX Edge).
    Remote Private IP Enter the remote private IP address if the on-premise gateway is configured behind NAT.
    Note: To reduce the maximum segment size (MSS), TCP TMSS clamping is always enabled for Layer 2 VPNs in SDDC version 1.15 and later.
  7. (Optional) Tag the VPN.

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

  8. (Optional) Add a Description.
  9. Click SAVE.
    Depending on your SDDC environment, the Layer 2 VPN creation process might take a few minutes. When the Layer 2 VPN tunnel becomes available, the status changes to Up.