Anypoint Virtual Private Network

Anypoint VPN (virtual private network) creates a secure connection between your private space and your on-premises network. Anypoint VPN enables apps running in the private space to access resources in your on-premises data centers behind your corporate firewall.

You can create multiple site-to-site VPNs if required.

The number of VPNs you can create depends on the network connection entitlements available to your account. Contact your MuleSoft account representative if you don’t know how many network connection entitlements you have on your account.

Anypoint VPN supports site-to-site Internet Protocol security (IPsec) connections between the private space and the VPN endpoint, a gateway device, a physical or software appliance located in your network.

The MuleSoft side of the connection is an implementation of a virtual private gateway (VGW). The MuleSoft VGW is associated with a single private space but can support up to 10 VPN connections.

MuleSoft implementation capabilities might vary from other VGW offerings.
IPsec Tunnel Overview

To create an Anypoint VPN connection to your network, see Create a Connection to an External Network.

Anypoint VPN Features

Each Anypoint VPN connection consists of two tunnels that enable you to connect to a single public IP address at a remote location. To configure connectivity to an additional public IP address at a remote location, you must create two VPN connections.

Routine maintenance can briefly disable one of the two tunnels of your VPN connection. Your VPN connection automatically fails over to the second tunnel during this time, so access is not interrupted. For this reason, you must configure both tunnels on your endpoint. Tunnel selection depends on your VPN endpoint capabilities and the routing type selection.

The MuleSoft VGW implementation supports a maximum throughput of 1.25 Gbps. Multiple VPN connections to the same private space share the throughput capabilities of a single VGW. The VPN connection throughput depends on several factors, such as the capability of your VPN endpoint, the capacity of the connection, the average packet size, the protocol, and network latency between the gateways.

Anypoint VPN also supports high availability, wherein each Anypoint VPN connection consists of two endpoints to lessen the likelihood of connection failures.

IPsec Settings

Anypoint VPN supports any combination of the following IPsec settings:

  • IKE version 1

  • IKE version 2 for route-based VPNs only

  • AES 128 or 256-bit encryption operating in the CBC and GCM

  • SHA or SHA-2 (256, 384, 512) hashing

  • Diffie-Hellman Phase 1 groups 2, 14-24

  • Diffie-Hellman Phase 2 groups 2, 5, 14-24

  • Timeouts for IKEv1:

    • IKE (Phase 1) Lifetime: 28800 seconds (8 hours)

    • IPsec (Phase 2) Lifetime: 3600 seconds (1 hour)

  • Timeouts for IKEv2:

    • IKE (Phase 1) Lifetime: 28000 seconds (7 hours and 50 minutes)

    • IPsec (Phase 2) Lifetime: 3000 seconds (50 minutes)

Anypoint VPN Routing

Anypoint VPN supports dynamic or static routing for VPN connections.

Dynamic routing

Your device uses Border Gateway Protocol (BGP) to advertise routes to Anypoint VPN.

Use BGP routing if your device supports this protocol.

Static routing

You must specify the routes (subnets) in your network accessible through Anypoint VPN.

You can remove routes for static VPN connections.

Anypoint VPN Routing Limitations

  • A maximum of 95 route table entries is permitted per private space, regardless of the number of VPN connections.

    To avoid exceeding the limit, consolidate networks to the fewest number possible.

  • You can’t add a route that matches a priority route (a route that your private network uses).

  • Only one connection can use a route at a time.

    If you enter a non-local/Internet Gateway (IGW) route to a route table, CloudHub 2.0 warns that another connection uses the route.

  • Routes should not overlap with existing routes.

    You receive a warning if you enter a route that overlaps with another route in the route table.

Anypoint VPN Limitations

Anypoint VPN does not support these features and configurations:

  • Network Address Translation (NAT)

  • IPv6

  • IKEv2 with policy-based VPNs

  • Advertising a default route ( over BGP or static routing

Anypoint VPN Recommendations

  • Adjust the maximum segment size of TCP packets entering the VPN tunnel.

    VPN headers require additional space, which reduces the amount of space available for data.

    To limit the impact of this behavior, configure your endpoint with TCP MSS Adjustment: 1387 bytes.

  • Reset the DF flag on packets.

    Packets might carry a Don’t Fragment (DF) flag, indicating that the packet must not be fragmented. Some VPN devices can override the DF flag and fragment packets unconditionally when required. If available, enable the setting Clear Don’t Fragment (DF) Bit.

VPN High Availability

To ensure your applications and related operations are tolerant to Anypoint VPN updates or issues, or individual customer gateway failures, implement high availability VPN connections. Set up a redundant VPN connection to prevent losing connectivity if another VPN or connection device is unavailable and allow for maintenance downtime.

The redundant VPN inherits some settings from the initial VPN configuration automatically. For example, if the routing type for the initial VPN is dynamic (BGP), the redundant VPN is also dynamic.

Other settings for the redundant VPN, such as the remote ASN for dynamic routing, include the values from the initial VPN, but you can change the values.

To configure a redundant VPN connection, you must:

  • Have two VPN endpoints available in your network that use different public IP addresses.

    Each gateway device supports a single VPN.

  • Create two VPN connections in your private space.

Configure High Availability with Anypoint VPN

The following example shows a high availability VPN topology using a single Anypoint VPC and two VPN connections.

A MuleSoft Virtual Private Gateway (VGW) supports one Anypoint VPC association, but it supports up to 10 VPN connections. You can locate your VPN Gateways in the same data center, or in different physical locations.

VPN High Availability Topology

Use BGP routing to advertise the same routes via VPN-1 and VPN-2. See Anypoint VPN Path Selection using BGP Routing for instructions on how to control path selection via the routing protocol.

In this scenario, the VPN Gateways are configured to prefer: VPN-1 Tunnel-1, then VPN-1 Tunnel-2, then VPN-2 Tunnel-1, and finally VPN-2 Tunnel-2. This configuration produces an automatic failover to another tunnel, and to another VPN in the event of a VPN connectivity issue. This makes the Anypoint VPN solution more resilient and robust.

High availability VPN connections also support static routing, in which you establish a VPN-2 to work as a redundant, standby connection in the event of a failure with VPN-1.

How VPN Failover Works

Failover to a redundant VPN depends on the routing type:

  • Dynamic (BGP)

  • Static

Failover for dynamic or BGP VPNs is automatic. For static VPN failover, you must manually fail over to the other available VPN by modifying the routes.

VPN and Tunnel Status

New VPN connections that you create appear in the Connections section of the private space. Initially, both VPN tunnels display DOWN while the infrastructure is created.

Depending on your configuration, tunnels might report a status of DOWN during normal operations.

Status Tunnel 1/2 Description



The VPN connection is recently created, and actions are pending in the background.

You might see this status for 10-15 minutes after creating a VPN.



The VPN connection is created, but the remote side is not configured or is not sending traffic.


Up/Up or Up/Down

The VPN connection is created, and the remote side established the connection successfully.

Tunnels operate in active/active or active/passive mode, depending on the routing configuration and your VPN device type.



The VPN connection is not created.

Delete the VPN and try again. If this failure recurs, contact MuleSoft Support.

Was this article helpful? Thanks for your feedback!
View on GitHub