The Cloud Virtual Private Network (VPN) enables a VPNC-compliant IPSec VPN connection that connects VMware and Non VMware SD-WAN Sites. It also indicates the health of the sites (up or down status) and delivers real-time status of the sites.

Cloud VPN supports the following traffic flows:

  • Branch to Non VMware SD-WAN Site
  • Branch to SD-WAN Hub
  • Branch to Branch VPN

The following figure represents all three branches of the Cloud VPN. The numbers in the image represent each branch and correspond to the descriptions in the table that follows.

Number (from above image) Description
red-1 Non VMware SD-WAN Site
red-2 Branch to SD-WAN Hub
red-3 Branch to Branch VPN
red-4 Branch to Non VMware SD-WAN Site
red-5 Branch to Non VMware SD-WAN Site

Branch to Non VMware SD-WAN Site

Branch to Non VMware SD-WAN Site supports the following configurations:

  • Connect to Customer Data Center with Existing Firewall VPN Router
  • Iaas
  • Connect to CWS (Zscaler)

Connect to Customer Data Center with Existing Firewall VPN Router

A VPN connection between the VMware Gateway and the data center firewall (any VPN router) provides connectivity between branches (with SD-WAN Edges installed) and Non VMware SD-WAN Sites, resulting in ease of insertion, in other words, no customer Data Center installation is required.

The following figure shows a VPN configuration:

Number (from above image) Description
red-1 Primary tunnel
red-2 Redundant tunnel
red-3 Secondary VPN Gateway

VMware supports VPN connectivity to the following third-party firewalls:

  • Cisco ASA
  • Cisco ISR
  • PaloAlto
  • SonicWall
  • Generic Router (Router Based VPN)
  • Generic Firewall (Policy Based VPN)

For information on how to configure a Branch to Non VMware SD-WAN Site see Configure a Non VMware SD-WAN Site.


When configuring with Amazon Web Services (AWS), use the Generic Firewall (Policy Based VPN) option in the Non VMware SD-WAN Site dialog box.

Configuring with a third party can benefit you in the following ways:

  • Eliminates mesh
  • Cost
  • Performance

VMware Cloud VPN is simple to set up (global networks of SD-WAN Gateways eliminates mesh tunnel requirement to VPCs), has a centralized policy to control branch VPC access, assures performance, and secures connectivity as compared to traditional WAN to VPC.

For information on how to configure using Amazon Web Services (AWS), see the Configure Amazon Web Services section.

Connect to CWS (Zscaler)

Zscaler Web Security provides security, visibility, and control. Delivered in the cloud, Zscaler provides web security with features that include threat protection, real-time analytics, and forensics.

Configuring using Zscaler provides the following benefits:

  • Performance: Direct to Zscaler (Zscaler via Gateway)
  • Managing proxy is complex: Enables simple click policy aware Zscaler

Branch to SD-WAN Hub

The SD-WAN Hub is an Edge deployed in Data Centers for branches to access Data Center resources. You must set up your SD-WAN Hub in the SD-WAN Orchestrator. The SD-WAN Orchestrator notifies all the SD-WAN Edges about the Hubs, and the SD-WAN Edges build secure overlay multi-path tunnel to the Hubs.

The following figure shows how both Active-Standby and Active-Active are supported.

Branch to Branch VPN

Branch to Branch VPN supports configurations for establishing a VPN connection between branches for improved performance and scalability.

Branch to Branch VPN supports two configurations:

  • Cloud Gateways
  • SD-WAN Hubs for VPN

The following figure shows Branch to Branch traffic flows for both Cloud Gateway and a SD-WAN Hub.

You can also enable Dynamic Branch to Branch VPN for both Cloud Gateways and Hubs.

You can access the 1-click Cloud VPN feature in the SD-WAN Orchestrator from Configure > Profiles > Device Tab in the Cloud VPN area.

Note: For step-by-step instructions to configure Cloud VPN, see Configure Cloud VPN.