Configure a compute VPN to allow VMs in your SDDC to communicate securely with VMs in an on-premises data center or within an Amazon VPC.

About this task

Create a compute gateway VPN allows you to deploy hybrid application architectures in which some VMs in the application are in your on-premises data center or on Amazon EC2, while others are in your cloud SDDC.


Configuring a compute VPN requires the following:

  • An on-premises router or firewall capable of terminating an IPsec VPN, such as Cisco ISR, Cisco ASA, CheckPoint Firewall, Juniper SRX, NSX Edge, or any other device capable of IPsec tunneling.

  • The router or firewall should be configured with cryptography settings as described in Recommended On-Premises VPN Settings.

  • If your on-premises gateway is behind another firewall, allow IPsec VPN traffic to pass through the firewall to reach your device by doing the following:

    • Open UDP port 500 to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall.

    • Set IP protocol ID 50 to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded through the firewall.

    • Set IP protocol ID 51 to allow Authentication Header (AH) traffic to be forwarded through the firewall.


  1. Configure the Compute Gateway side of the tunnel.
    1. Log in to the VMC Console at
    2. Navigate to the Networking tab of your SDDC.
    3. Under Compute Gateway, click IPsec VPNs and then Add VPN.
    4. Complete the Compute Gateway VPN configuration.



      VPN Name

      Enter a name for the VPN.

      Remote Gateway Public IP

      Enter the public IP address of your on-premises gateway.

      Remote Gateway Private IP

      If your gateway device is behind NAT, enter the private IP address of your on-premises gateway.

      Remote Networks

      Enter the address of your on-premises compute network.

      Local Gateway IP

      Displays the IP address of the SDDC compute gateway. This is not an editable field.

      Local Network

      Select the logical network to connect to using this VPN. If the logical network uses DHCP and you have configured an on-premises DNS server, also select the cgw-dns-network to allow DNS requests to travel over the VPN.


      Select AES-256.

      Perfect Forward Secrecy

      Select Enabled.

      Diffie Hellman

      Select a Diffie Hellman group. Ensure that you use the same group in your on-premises VPN gateway settings.

      Pre-Shared Key

      Enter a pre-shared key. The key is a string with a maximum length of 128 characters that is used by the two ends of the VPN tunnel to authenticate with each other.

    5. (Optional) Under VPN Peer Configuration, click Download to download a configuration file listing the configuration parameters needed to configure your on-premises gateway.
  2. Configure the on-premises side of the tunnel.
    1. Consult the documentation for your gateway or firewall device to learn how to configure it to match the VPN settings you've configured.

      Configuration of the gateway device in your on-premises data center might need to be performed by a member of your networking team.

    2. If you selected as Local Network a non-default logical network that uses DHCP, configure the on-premises side of the tunnel of connect to local_gateway_ip/32 in addition to the Local Gateway IP address. This allows DNS requests to be routed over the VPN.


When the VPN tunnel is configured, you should be able to verify connectivity in the VMC Console.