To create the management VPN, configure an IPsec VPN in the SDDC and another one in your on-premises datacenter. The management gateway connects these two VPNs and provides a common set of firewall rules and DNS services.


  1. Log in to the VMC Console at
  2. On Network tab of your SDDC, click ACTIONS > Configure Management Gateway.
  3. Complete the Management Gateway VPN configuration.



    VPN Name

    Enter a name for the VPN.

    Remote Gateway Public IP

    Enter the IP address of your on-premises gateway.

    Remote Gateway Private IP

    If your on-premises gateway is behind NAT, provide the private IP address of the gateway.

    Remote Networks

    Enter the address of your on-premises management network.

    Local Gateway IP

    Displays the public IP address of the management gateway. This is not an editable field.

    Local Network

    Displays the CIDR block of the management subnet for the management gateway. This is not an editable field.


    Select AES-256.

    Perfect Forward Secrecy

    Select Enabled

    Diffie Hellman

    Select a Diffie Hellman group. Ensure that you use a group that your on-premises VPN gateway supports.

    Pre-Shared Key

    Enter a pre-shared key. The key is a string with a maximum length of 128 characters that is used by the two ends of the VPN tunnel to authenticate with each other.

    Click SAVE to save this configuration and create the VPN.

    After the system creates the VPN in the SDDC, you can click ACTIONS to Edit or Disable the VPN. When the VPN has a status of Connected, you can click VPN Status Detail to view VPN tunnel status and statistics.

  4. Download the SDDC management VPN configuration details.

    Under Remote VPN Config File, click Download to download a configuration file that you can use when you configure the on-premises side of this VPN.

What to do next

Configure the on-premises side of the management VPN.