Create an Anypoint VPN Connection

logo cloud active logo hybrid disabled logo server disabled logo rtf disabled

You can create an Anypoint VPN connection using Runtime Manager.


Before you can create an Anypoint VPN:

  • You must create an Anypoint Virtual Private Cloud (Anypoint VPC).

    See Virtual Private Cloud for more information.

    One Anypoint VPC can accommodate up to 10 Anypoint VPNs.

  • You must have either the CloudHub Network Administrator or the CloudHub Network Viewer user permission to access the VPN page.

  • Your default environment (defined in your profile) must have Read Application permissions.

    vpn permissions

The VPNs page is visible to Anypoint organizations that have VPN entitlements.

Checklist for Creating an Anypoint VPN

When you create or configure an Anypoint VPN, you must provide the following information:

Remote IP address

The public IP address of your VPN endpoint. This must be a single, static IP address.

Static Routes (CIDR)

The subnets in your network to make accessible through the VPN. This information is required only if you are using static routing.

Remote and Local ASN

The Autonomous System Number specifies the collection of routing prefixes. You must configure both a remote and local ASN. This is required only if you are using dynamic routing.

Pre-shared Key (PSK)

The shared secret for the VPN tunnels. These values are auto-generated if you select Automatic Tunnel Configuration.

Point-to-Point CIDR

Private IP range for the VPN tunnel interfaces. These values are auto-generated if you select Automatic Tunnel Configuration.

Create an Anypoint VPN

To create an Anypoint VPN:

  1. Sign into Anypoint Platform and select Runtime Manager.

  2. Select the environment where you want to create an Anypoint VPN.

  3. From the menu on the left, click VPNs, and then click Create VPN.

  4. Enter or select the following information for your Anypoint VPN:


    Enter a name for your Anypoint VPN.


    From the list, select the Virtual Private Cloud for the Anypoint VPN connection.

    Remote IP Address

    Enter the public IP address of your VPN endpoint.

  5. Select the routing type to use.

    You can select either BGP (dynamic) or Static. Choose the Border Gateway Protocol (BGP) type if your device supports it.

    To use dynamic routing:

    1. Select BGP.

    2. Define the remote ASN.

      Enter the ASN corresponding to your backend. You can use an existing ASN assigned to your network or a private ASN (64512–65534) that is not already assigned to your network. The default value is 65001.

    3. Define the local ASN.

      Assign an ASN for the MuleSoft side. Use a private ASN (64512–65534) that is not already assigned to your network. The default value is 64512.

    To use static routing:

    1. Select Static.

    2. In the CIDR field, enter a subnet to make accessible through the VPN, for example,

    3. If you want to add additional subnets, click Add New Rule, and repeat the previous step.

      A maximum of 95 route table entries is allowed per VPC, regardless of the number of VPN connections. To avoid exceeding the limit, consolidate networks to the fewest number possible.

  6. Select the Tunnel Configuration type.

    You can select either Automatic or Custom. In most scenarios, Automatic is sufficient. The steps differ depending on the selected tunnel type.

    To use Automatic tunnel configuration:

    1. Select Automatic.

      No other inputs are required. This option automatically configures the tunnel settings for your Anypoint VPN.

      The tunnel settings are visible after VPN creation.

    To use Custom tunnel configuration:

    1. Select Custom.

    2. In the PSK field for each tunnel, enter a value between 8-64 characters that does not begin with zero (0).

      Use only alphanumeric characters, periods (.), and underscores (_).

    3. In the Point-to-Point CIDR field for each tunnel, enter the IP address range for the internal address of the VPN tunnel.

      You can specify a size /30 CIDR block from the range. The CIDR block must be unique across all VPN connections.

      You cannot use the following CIDR blocks:
    You cannot modify tunnel settings after you create the Anypoint VPN connection. To change the settings for an existing connection, delete the Anypoint VPN connection and create a new one.
  7. Click Create VPN.

    Initially, the status of the VPN is PENDING. This is the expected status while the infrastructure is created. After the status changes to AVAILABLE, continue with the next steps.

    For more information see VPN and Tunnel Status.

  8. Download the configuration file from your Anypoint VPN:

    1. In Runtime Manager, click the name of the Anypoint VPN that you just created.

    2. Click Get VPN Config.

    3. In the Download VPN Config window, select a Vendor, Platform, and Software version that corresponds to your VPN endpoint device.

      If your device type is not listed, select generic.

    4. Click View Config and then click the Copy button in the top right corner.

    5. Paste the configuration to a text file.

      All configuration files represent the minimum requirement of IKEv1, AES128, SHA1, and DH Group 2. You can modify the configuration for your VPN endpoint to take advantage of the other supported IPsec settings. See IPsec settings.

  9. Configure your VPN endpoint:

    1. Share the VPN configuration file (from Step 8) with your VPN endpoint administrator.

    2. Based on the configuration of your VPN endpoint, you might need to perform additional configuration steps.

      See VPN requirements for more information.

      Refer to the documentation for your specific VPN endpoint to ensure that the components of your network are configured correctly.

      Configure both tunnels on your VPN endpoint to avoid unexpected behavior.

VPN and Tunnel Status

The new VPN connection you created appears in the list of VPNs. Initially, the Status column displays PENDING and both VPN tunnels display DOWN while the infrastructure gets created.

Depending on your configuration, tunnels might report a status of DOWN during normal operations.

Status Tunnel 1/2 Description



The VPN connection is recently created, and actions are pending in the background. You might see this status for 10-15 minutes after creating a VPN.



The VPN connection is created, but the remote side is not configured or is not sending traffic.


Up\Up or Up\Down

The VPN connection is created, and the remote side established the connection successfully. Tunnels operate in active/active or active/passive mode, depending on the routing configuration and your VPN device type.



The VPN connection is not created. Delete the VPN and try again. If this failure recurs, contact MuleSoft Support.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub
Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!