Contact Free trial Login

Create an Anypoint VPN Connection

Create an Anypoint VPN using Runtime Manager.


You must create an Anypoint Virtual Private Cloud (Anypoint VPC) before you can create an Anypoint VPN. See Virtual Private Cloud for more information.

One Anypoint VPC can accommodate up to 10 Anypoint VPNs.

When you create or configure an Anypoint VPN, you must provide the following information:

  • Remote IP address: The public IP address of your VPN endpoint.

  • Remote and Local Autonomous System Number (ASN): Specifies the collection of routing prefixes. You must configure both a remote and local ASN before creating an Anypoint VPN. This is required only if you are using dynamic routing.

  • Classless Inter-Domain Routing (CIDR): Specifies the routing address of your network. This is required only if you are using static routing.

  • Pre-shared Key (PSK): Shared secret used by the network tunnel that connects Anypoint Platform and your network. This value is auto-generated if you select Automatic Tunnel Configuration.

  • Point-to-Point CIDR: IP range used by the network tunnel. You must configure a unique IP address range for each tunnel. This value is auto-generated if you select Automatic Tunnel Configuration.

Create an Anypoint VPN

  1. Sign into Anypoint Platform and select Runtime Manager.

  2. Select the environment where you want to create an Anypoint VPN.

  3. From the menu on the left, click the VPNs tab, then click Create VPN.

  4. Enter or select the following information for your Anypoint VPN:

    • Name - Enter a name for your Anypoint VPN.

    • VPC - From the drop-down list, select the Virtual Private Cloud for the Anypoint VPN connection.

    • Remote IP Address - Enter the public IP address of your VPN endpoint.

  5. Select the routing type to use:

    You can select either BGP or Static. Choose the Border Gateway Protocol (BGP) type if your device supports it.
    To use dynamic routing To use static routing

    Select BGP then enter the following values:

    • Remote ASN - Enter the ASN corresponding to your backend.
      The default value is 65001.

    • Local ASN - Assign an ASN for the MuleSoft side.
      The default value is 64512

    Select Static, then:

    1. In the CIDR field, enter a subnet that needs to be accessible via the VPN.
      For example:

    2. (Optional) To add additional subnets, click Add New Rule, and repeat the previous step.

  6. Select the Tunnel Configuration type.
    You can select either Automatic or Custom. In most scenarios, Automatic is sufficient. The following steps differ based on the tunnel type selected.

    To use Automatic tunnel configuration To use Custom tunnel configuration

    Select Automatic
    No other inputs are required. This option automatically configures the required tunnels for your Anypoint VPN.

    1. Select Custom, then enter the values for both tunnels:

    2. In the PSK field, enter a value between 8-64 characters in length that does not begin with zero (0).
      Use only alphanumeric characters, periods (.), and underscores (_).

    3. In the Point-to-Point CIDR field, enter the IP address range for the internal address of the VPN tunnel.
      You can specify a size /30 CIDR block from the range. The CIDR block must be unique across all VPN connections.
      You cannot use the following CIDR blocks:
  7. Click Create VPN.

    You cannot modify tunnel settings after you create the Anypoint VPN connection. To change the settings for an existing connection, you must delete the Anypoint VPN connection and create a new one.
  8. Click Download to download the configuration file for you VPN endpoint.

    The provided configuration file is an example configuration using the minimum supported IPsec settings. You can adjust the configuration to fit your own requirements, using any combination of IPsec settings that are supported in Anypoint VPN.
  9. Configure your VPN endpoint.
    Based on the configuration options you choose, additional configuration steps may be required. For help with configuring your endpoint, refer to the documentation for your specific VPN endpoint, and ensure that the components of your network are configured correctly.

You must configure both tunnels on your VPN endpoint to avoid unexpected behavior.

VPN and Tunnel Status

The new VPN connection you created appears in the list of VPNs. Initially, the Status column displays PENDING and both VPN tunnels display DOWN while the infrastructure gets created.

Depending on your configuration, tunnels may report a status of DOWN during normal operations.
Status Tunnel 1/Tunnel 2 Description



The VPN connection is recently created, and actions are pending in the background. You may see this status for 10-15 minutes after creating a VPN



The VPN connection is created, but the remote side is not configured or is not sending traffic.


Up\Up or Up\Down

The VPN connection is created, and the remote side established the connection successfully. Depending on the type of VPN and routing, the tunnels may operate in an active/active or active/passive mode.



The VPN connection was not created successfully. You have to delete the VPN and try again. If this failure reoccurs, please contact MuleSoft Support.