Anypoint VPN High Availability

logo cloud active logo hybrid disabled logo server disabled logo rtf disabled

To ensure your applications and related operations are tolerant to Anypoint VPN updates, issues, or individual Customer Gateway failures, implement High Availability VPN connections.

Each Anypoint VPN connection consists of two endpoints, providing High Availability (HA) on the MuleSoft side by default.


  • Sufficient entitlement for each VPN connection.

  • Two VPN endpoints using different public IP addresses.

  • Two VPN connections in Runtime Manager.

Configure High Availability with Anypoint VPN

The following example shows a High Availability VPN topology using a single Anypoint VPC and two VPN connections.

A MuleSoft Virtual Private Gateway (VGW) supports one Anypoint VPC association, but it supports up to 10 VPN connections. You can locate your VPN Gateways in the same data center, or in different physical locations.

VPN High Availability Topology

Use BGP routing to advertise the same routes via VPN-1 and VPN-2. See Anypoint VPN Path Selection using BGP Routing for instructions on how to control path selection via the routing protocol.

In this scenario, the VPN Gateways are configured to prefer: VPN-1 Tunnel-1, then VPN-1 Tunnel-2, then VPN-2 Tunnel-1, and finally VPN-2 Tunnel-2. This configuration produces an automatic failover to another tunnel, and to another VPN in the event of a VPN connectivity issue. This makes the Anypoint VPN solution more resilient and robust.

High Availability VPN connections also support static routing, in which you establish a VPN-2 to work as a redundant, standby connection in the event of a failure with VPN-1.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub
Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!