VMware Cloud on AWS has a few different connectivity options: Direct Connect, Policy-based VPN, and Routed-VPN. 

In my experience, most people seem to pick Direct Connect and Policy-based VPN first, before even thinking about Routed-VPN. But, as with most things in life, you’ll find that one use case for that option you’d never use otherwise. 😉

I had to build a routed-VPN from VMware Cloud on AWS to a VyOS router recently, and it had some options to take into account and took a while to figure out. This post goes into the configuration on both sides. Mostly on the VyOS side, as the VMC side is pretty straight forward. BGP is used to establish a routed connection.

Before you begin, make sure you have a VMConAWS SDDC (duh), and a running VyOS appliance, with an internal and internet-facing interface.

VMware Cloud on AWS VPN Config

The VPN configuration in VMC is straightforward. Navigate to the Network -> VPN -> Route Based page. Here’s a screenshot of the fields you need. 


  1. A friendly name, something to recognize it by.
  2. Pick the VMC public IP address you’d like to use as an endpoint. If you want a dedicated IP, request a new from System -> Public IP page.
  3. The public IP of the VyOS router.
  4. The VPN tunnel will establish a point to point connection between the VyOS router and the NSX Edge on VMC. This setting is the VMC side IP address of that point to point. Include the subnet length; a /30 is best practice.
  5. This is the VyOS side of the point to point. NSX uses this to set up the BGP peering.
  6. The BGP AS Number of the VyOS side. Check out the EDIT LOCAL ASN link the arrow is pointing to if you’d like to change or see the VMC side AS Number
  7. Pre-shared Key. Generate something long and random.

All the other options are set to their default values. You can change these if you’d like, but be sure to change the VPN settings in VyOS also. Speaking of which…

VyOS VPN Configuration

Below are the VPN settings needed to make this work. Take notice of a couple of things: 

  • eth1 is the internet-facing interface, and it has a public IP address (147.xxx.xxx.xxx).
  • 44.xxx.xxx.xxx is the public IP that you selected in the VMC VPN configuration as Local IP Address.
  • Copy and paste the pre-shared-secret. Don’t try to type it, unless you want to spend an hour or two extra on debugging.
  • vti1 is a virtual interface that’s bound to the VPN tunnel. It’ll come online once the VPN is established. It should have that /30 subnet you picked in the VMC VPN configuration, and make sure to use the BGP Remote IP from the VMC config.

Once the VPN configuration is there, the VPN tunnel should come up:

VyOS BGP Configuration

Now that the VPN tunnel is online, configure BGP to enable routing between VMC and VyOS. I’m always a bit conservative with BGP configurations and put in route-maps to make sure only the right subnets get into the routing table, so you’ll see that below. A few things to take note of:

  • is the VMC compute subnet. This VMC SDDC only has one. It could be more in your case. 
  • is the VMC management subnet. 
  • is the IP prefix that’s behind the VyOS. VyOS should have this prefix in its routing table.

If you don’t care about controlling the routing table, you could leave out the prefix-list, route-map, and route-map import. In any case, when you commit this configuration, the BGP peering should be established, and traffic should flow!


Share the wealth!