Contact Free trial Login

Create an Anypoint VPN Connection

Create an Anypoint VPN using Runtime Manager.

When you create or configure an Anypoint VPN, you must provide the following information:

  • Remote IP address:

    The public IP address of your VPN endpoint.

  • Remote and Local Autonomous System Number (ASN):

    Specifies the collection of routing prefixes. You must configure both a remote and local ASN before creating an Anypoint VPN. This is required only if you are using dynamic routing.

  • Classless Inter-Domain Routing (CIDR):

    Specifies the routing address of your network. This is required only if you are using static routing.

  • Pre-shared Key (PSK):

    Shared secret used by the network tunnel that connects Anypoint Platform and your network. This value is auto-generated if you select Automatic Tunnel Configuration.

  • Point-to-Point CIDR:

    IP range used by the network tunnel. You must configure a unique IP address range for each tunnel. This value is auto-generated if you select Automatic Tunnel Configuration.


Before you can create an Anypoint VPN:

  • You must create an Anypoint Virtual Private Cloud (Anypoint VPC).

    See Virtual Private Cloud for more information.

    One Anypoint VPC can accommodate up to 10 Anypoint VPNs.

  • You must have either the CloudHub Network Administrator or the CloudHub Network Viewer user permission to access the VPN page.

  • Your default environment (defined in your profile) must have Read Application permissions.

    vpn permissions

The VPNs page is visible to Anypoint organizations that have VPN entitlements.

Create an Anypoint VPN

To create an Anypoint VPN:

  1. Sign into Anypoint Platform and select Runtime Manager.

  2. Select the environment where you want to create an Anypoint VPN.

  3. From the menu on the left, click VPNs, and then click Create VPN.

  4. Enter or select the following information for your Anypoint VPN:

    • Name

      Enter a name for your Anypoint VPN.

    • VPC

      From the list, select the Virtual Private Cloud for the Anypoint VPN connection.

    • Remote IP Address

      Enter the public IP address of your VPN endpoint.

  5. Select the routing type to use:

    You can select either BGP or Static. Choose the Border Gateway Protocol (BGP) type if your device supports it.

    To use dynamic routing To use static routing

    Select BGP, and then enter the following values:

    • Remote ASN

      Enter the ASN corresponding to your backend.
      Use an existing ASN assigned to your network, or a private ASN (64512–65534) that is not already assigned to your network. The default value is 65001.

    • Local ASN

      Assign an ASN for the MuleSoft side.
      Use a private ASN (64512–65534) that is not already assigned to your network. The default value is 64512

    Select Static, and then:

    1. In the CIDR field, enter a subnet that needs to be accessible via the VPN.
      For example:

    2. (Optional) To add additional subnets, click Add New Rule, and repeat the previous step.

  6. Select the Tunnel Configuration type.

    You can select either Automatic or Custom. In most scenarios, Automatic is sufficient. The following steps differ based on the tunnel type selected.

    To use Automatic tunnel configuration To use Custom tunnel configuration

    Select Automatic.

    No other inputs are required. This option automatically configures the tunnel settings for your Anypoint VPN.

    1. Select Custom, and then enter the values for both tunnels:

    2. In the PSK field, enter a value between 8-64 characters in length that does not begin with zero (0).
      Use only alphanumeric characters, periods (.), and underscores (_).

    3. In the Point-to-Point CIDR field, enter the IP address range for the internal address of the VPN tunnel.
      You can specify a size /30 CIDR block from the range. The CIDR block must be unique across all VPN connections.
      You cannot use the following CIDR blocks:
  7. Click Create VPN.

    Initially, the status of the VPN is PENDING. This is the expected status while the infrastructure is created. After the status changes to AVAILABLE, continue with the next steps.

    For more information see VPN and Tunnel Status.

    You cannot modify tunnel settings after you create the Anypoint VPN connection. To change the settings for an existing connection, delete the Anypoint VPN connection and create a new one.
  8. Download the configuration file from your Anypoint VPN:

    1. In Runtime Manager, click the name of the Anypoint VPN that you just created.

    2. Click Get VPN Config.

    3. In the Download VPN Config window, select a Vendor, Platform, and Software version that corresponds to your VPN endpoint device.

      If your device type is not listed, select generic.

    4. Click View Config and then click the Copy button in the top right corner.

    5. Paste the configuration to a text file.

      All configuration files represent the minimum requirement of IKEv1, AES128, SHA1, and DH Group 2. You can modify the configuration for your VPN endpoint to take advantage of the other supported IPsec settings.

  9. Configure your VPN endpoint:

    1. Share the VPN configuration file (from Step 8) with your VPN endpoint administrator.

    2. Based on the configuration of your VPN endpoint, you might need to perform additional configuration steps.

      See VPN requirements for more information.

      Refer to the documentation for your specific VPN endpoint to ensure that the components of your network are configured correctly.

      Configure both tunnels on your VPN endpoint to avoid unexpected behavior.

VPN and Tunnel Status

The new VPN connection you created appears in the list of VPNs. Initially, the Status column displays PENDING and both VPN tunnels display DOWN while the infrastructure gets created.

Depending on your configuration, tunnels might report a status of DOWN during normal operations.

Status Tunnel 1/Tunnel 2 Description



The VPN connection is recently created, and actions are pending in the background. You might see this status for 10-15 minutes after creating a VPN



The VPN connection is created, but the remote side is not configured or is not sending traffic.


Up\Up or Up\Down

The VPN connection is created, and the remote side established the connection successfully. Depending on the type of VPN and routing, the tunnels might operate in an active/active or active/passive mode.



The VPN connection was not created successfully. You have to delete the VPN and try again. If this failure reoccurs, contact MuleSoft Support.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.