The VeloCloud Partner Gateway provides different configuration options. The worksheet below should be prepared before the installation of the Gateway.

This section explains this worksheet.


  • Version
  • OVA/QCOW2 file location
  • Activation Key
  • VCO (IP ADDRESS/vco-fqdn-hostname)
  • Hostname
Hypervisor address/cluster name Address/Cluster name
Storage Root volume datastore (>40GB recommended)
CPU Allocation CPU Allocation for KVM/VMware.
Installation Selections DPDK (YES/NO)
OAM Network ( Optional See Custom Configurations)
  • DHCP
  • OAM IPv4 Address
  • OAM IPv4 Netmask
  • DNS server - primary
  • DNS server - secondary
  • Static Routes
ETH0 – Internet Facing Network
  • IPv4 Address
  • IPv4 Netmask
  • IPv4 Default gateway
  • DNS server - primary
  • DNS server - secondary
Handoff (ETH1) - Network
  • MGMT VRF IPv4 Address
  • MGMT VRF IPv4 Netmask
  • MGMT VRF IPv4 Default gateway
  • DNS server - primary
  • DNS server - secondary
  • Handoff ( QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad)
  • C-TAG
  • S-TAG
Console access
  • Console_Password
  • SSH:
    • Enabled (yes/no)
    • SSH public key
NTP ( Optional see Custom Configuration Section)
  • Public NTP:
    • server
    • server
    • server
    • server
  • Internal NTP server - 1
  • Internal NTP server - 2

VCG Section

Most of the VCG section is self-explanatory.

  • Version - Should be same or lower than VCO
  • OVA/QCOW2 file location - Plan ahead the file location and disk allocation
  • Activation Key
  • VCO (IP ADDRESS/vco-fqdn-hostname)
  • Hostname - Valid Linux Hostname “RFC 1123”

Creating a Gateway and Getting the Activation Key

  1. Go to Operator > Gateway Pool and create a new VeloCloud Gateway pool. For running VeloCloud Gateway in the Service Provider network, check the Allow Partner Gateway checkbox. This will enable the option to include the partner gateway in this gateway pool.


  2. Go to Operator > Gateway and create a new gateway and assign it to the pool. The IP address of the gateway entered here must match the public IP address of the gateway. If unsure, you can run curl from the VCG which will return the public IP of the VCG.


  3. Make a note of the activation key and add it to the worksheet.


Enable Partner Gateway Mode

  1. Go to Operator > Gateways and select the VeloCloud Gateway. Check the Partner Gateway checkbox to enable the Partner Gateway.


    There are additional parameters that can be configured. The most common are the following:

    Advertise with no encrypt


This option will enable the Partner Gateway to advertise a path to Cloud traffic for the SAAS Application. Since the Encrypt Flag is off, it will be up to the customer configuration on the business policy to use this path or not.

The second recommend option is to advertise the VCO IP as a /32 with encrypt


This will force the traffic that is sent from the Edge to the VCO to take the Gateway Path. This is recommended since it introduces predictability to the behavior that the VCE takes to reach the VCO.

Installation Selection

Installation Selections DPDK (YES/NO)

DPDK is optional but necessary for higher throughput. To Enable DPDK, you need to have SR-IOV support. Before starting your installation, decide if you are planning to enable DPDK. To enable or disable DPDK, contact VeloCloud Support.


Important: The following procedure and screenshots focus on the most common deployment, which is the 2-ARM installation for the Gateway. The addition of an OAM network is considered in the section titled, OAM Interface and Static Routes.


The diagram above is a representation of the VeloCloud Gateway in a 2-ARM deployment. In this example, we assume eth0 is the interface facing the public network (Internet) and eth1 is the interface facing the internal network (handoff or VRF interface).

Note: A Management VRF is created on the VCG and is used to send a periodic ARP refresh to the default gateway IP to check that the handoff interface is physically up and speed ups the failover time. It is recommended that a dedicated VRF is set up on the PE router for this purpose. Optionally, the same management VRF can also be used by the PE router to send an IP SLA probe to the VCG to check for VCG status (VCG has a stateful ICMP responder that will respond to ping only when its service is up).If a dedicated Management VRF is not set up, then you can use one of the customer VRFs as a Management VRF, although this is not recommended.

For the Internet Facing network, you only need the basic network configuration.

ETH0 – Internet Facing Network
  • IPv4_Address
  • IPv4_Netmask
  • IPv4_Default_gateway
  • DNS_server_primary
  • DNS_server_secondary

For the Handoff interface, you must know which type of handoff you want to configure and the Handoff configuration for the Management VRF.

ETH1 – HANDOFF Network
  • MGMT_IPv4_Address
  • MGMT_IPv4_Netmask
  • MGMT_IPv4_Default gateway
  • DNS_Server_Primary
  • DNS_Server_Secondary
  • Handoff (QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad)

Console Access

Console access
  • Console_Password
  • SSH:
    • Enabled (yes/no)
    • SSH public key

In order to access the Gateway, a console password and/or a SSH public key must be created.

Cloud-Init Creation

The configuration options for the gateway that we defined in the worksheet are used in the cloud-init configuration. The cloud-init config is composed of two main configuration files, the metadata file and the user-data file. The meta-data contains the network configuration for the Gateway, and the user-data contains the Gateway Software configuration. This file provides information that identifies the instance of the VeloCloud Gateway being installed.

Below are the templates for both Meta_data and User_data files.

Fill the templates with the information in the worksheet. All #_VARIABLE_# need to be replaced, also check any #ACTION#

Important: The template assumes you are using static configuration for the interfaces. It also assumes that you are either using SR-IOV for all interfaces or none. See section titled, OAM - SR-IOV with vmxnet3 or SR-IOV with VIRTIO for this. The templates are also available in the git repository at: git clone It is recommended that you get the templates from repository instead of copying and pasting from this document.

meta-data (git ./vcg/samples/VCG_2ARM/meta-data)

instance-id: #_Hostname_#

local-hostname: #_Hostname_#

network-interfaces: |

auto eth0

iface eth0 inet static

address #_IPv4_Address_#

netmask #_IPv4_Netmask_#

gateway #_IPv4_Gateway_#

dns-nameservers #_DNS_server_primary_# #_DNS_server_secondary_#

auto eth1

iface eth1 inet static

metric '13'

address #_MGMT_IPv4_Address_#

netmask #_MGMT_IPv4_Netmask_#

gateway #_MGMT_IPv4_Gateway_#

dns-nameservers #_DNS_server_primary_# #_DNS_server_secondary_#

user-data (Git /deployment/vcg/samples/VCG_2ARM/user-data)


hostname: #_Hostname_#

password: #_Console_Password_#

chpasswd: {expire: False}

ssh_pwauth: True


- #_SSH_public_Key_#


- 'echo "[]" > /opt/vc/etc/vc_blocked_subnets.json'

- 'sed -iorig "s/wan=\".*/wan=\"eth0 eth1\"/" /etc/config/gatewayd-tunnel'

- '/var/lib/cloud/scripts/per-boot/config_gateway'

- 'sleep 10'

- '/opt/vc/bin/vc_procmon restart'


- path: "/var/lib/cloud/scripts/per-boot/config_gateway"

permissions: "0755"

content: |


import json

import commands

is_activated = commands.getoutput("/opt/vc/bin/")

if "True" in str(is_activated):

print "Gateway already activated"


commands.getoutput("/opt/vc/bin/ -s #_VCO_# #_Activation_Key_#")


with open("/etc/config/gatewayd", "r") as jsonFile:

data = json.load(jsonFile)

data["global"]["vcmp.interfaces"] = ["eth0"]

data["global"]["wan"] = ["eth1"]

# NOTE FOR HAND OFF IT CAN BE "QinQ (0x8100)" "QinQ (0x9100)" "none" "802.1Q" "802.1ad”

data["vrf_vlan"]["tag_info"][0]["mode"] = "#_Handoff_"

data["vrf_vlan"]["tag_info"][0]["interface"] = "eth1"

data["vrf_vlan"]["tag_info"][0]["c_tag"] = "#_C_TAG_FOR_MGMT_VRF_#"

data["vrf_vlan"]["tag_info"][0]["s_tag"] = "#_S_TAG_FOR_MGMT_VRF_"

with open("/etc/config/gatewayd", "w") as jsonFile:

jsonFile.write(json.dumps(data,sort_keys=True,indent=4, separators=(",", ": ")))

### EDIT DPDK ###

with open("/opt/vc/etc/dpdk.json", "r") as jsonFile:

data = json.load(jsonFile)

#SET 0 or 1 for enabled or DISABLED example data["dpdk_enabled"] = 0

data["dpdk_enabled"] = #_DKDP_ENABLED_(1)_OR_DISABLED_(0)_#

with open("/opt/vc/etc/dpdk.json", "w") as jsonFile:

jsonFile.write(json.dumps(data,sort_keys=True,indent=4, separators=(",", ": ")))

final_message: "==== Cloud-init completed ===="


delay: "+1"

mode: reboot

message: Bye Bye

timeout: 30

condition: True

  • VMware recommends to have a proper fully qualified domain name (FQDN) configured for all production Orchestrators so proper TLS certificates may be issued for them.
  • If activation using the Orchestrator’s IP address is the only option, use the following example which instructs the Edge to bypass TLS verification.
    commands.getoutput("/opt/vc/bin/ -s -i #_activation_key_#")
  • This configuration is not recommended for production use and we highly encourage you to reactivate against the Orchestrator’s hostname at the soonest possible.
Note: Always validate user-data and metadata, using for example. - The metadata should also be a valid network configuration under the network-interface section, this section will be the /etc/network/interfaces once the cloud-init completes. - Sometimes when working with the Windows/Mac copy paste feature, there is a danger of introducing Smart Quotes which can corrupt the files. Run this to make sure you are smart quote free
sed s/[”“]/'"'/g /tmp/user-data > /tmp/user-data_new

Create ISO File

Once you have completed your files, they need to be packaged into an ISO image. This ISO image is used as a virtual configuration CD with the virtual machine. This ISO image, called vcg01-cidata.iso, is created with the following command on a Linux system:

genisoimage -output vcg01-cidata.iso -volid cidata -joliet -rock user-data meta-data

If you are on a MAC OSX, use the command below instead:

mkisofs -output vcg01-cidata.iso -volid cidata -joliet -rock {user-data,meta-data}

This iso file which we will call #CLOUD_INIT_ISO_FILE# is going to be used in both OVA and VMware installations.