To create the management VPN, configure an IPsec VPN in the SDDC and another one in your on-premises datacenter. The management gateway connects these two VPNs and provides a common set of firewall rules and DNS services..

About this task

Creating a management VPN allows you to securely access the vCenter Server system and Content Library deployed in your SDDC. You don't have to set up a VPN connection, but transferring virtual machine templates and disk images into your SDDC in the cloud is easier if you do.


Configuring a management VPN requires the following:

  • An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.

  • The router or firewall should be configured with cryptography settings as described in Recommended On-Premises VPN Settings.

  • If your on-premises gateway is behind another firewall, allow IPsec VPN traffic to pass through the firewall to reach your device by doing the following:

    • Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.

    • Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.

    • Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.


  1. Configure the Management Gateway (SDDC) side of the VPN.
    1. Log in to the VMC Console at
    2. Navigate to the Network tab of your SDDC.
    3. Under Management Gateway, click IPsec VPNs and then Add VPN.
    1. Complete the Management Gateway VPN configuration.



      VPN Name

      Enter a name for the VPN.

      Remote Gateway Public IP

      Enter the IP address of your on-premises gateway.

      Remote Gateway Private IP

      If your on-premises gateway is behind NAT, provide the private IP address of the gateway.

      Remote Networks

      Enter the address of your on-premises management network.

      Local Gateway IP

      Displays the public IP address of the management gateway. This is not an editable field.

      Local Network

      Displays the CIDR block of the management subnet for the management gateway. This is not an editable field.


      Select AES-256.

      Perfect Forward Secrecy

      Select Enabled

      Diffie Hellman

      Select a Diffie Hellman group. Ensure that you use the same group in your on-premises VPN gateway settings.

      Pre-Shared Key

      Enter a pre-shared key. The key is a string with a maximum length of 128 characters that is used by the two ends of the VPN tunnel to authenticate with each other.

    2. (Optional) Under VPN Peer Configuration, click Download to download a configuration file listing the configuration parameters needed to configure your on-premises gateway.
  2. Configure the on-premises side of the VPN.

    Configuration of the gateway device in your on-premises data center might need to be performed by a member of your networking team. Consult the documentation for your gateway or firewall device to learn how to configure it to match the VPN settings you've configured.


    You must configure the on-premises VPN as policy-based. Route-based VPNs are not supported by VMware Cloud on AWS.

What to do next

Configure firewall rules for your VPN connection using the Firewall Rules Accelerator: Use the Firewall Rules Accelerator to Set Up Firewall Rules.

After the VPN is configured and firewall rules are set up, verify connectivity in the VMC Console.