Prerequisites and Limitations for Site-to-Site VPN Tunnels
Supported VPN Tunnel Connection Endpoints
You can create a VPN tunnel connection with any of the following setups:
-
Multicloud Defense Gateway to a Multicloud Defense Gateway.
-
Multicloud Defense Gateway to a cloud service provider (AWS, Azure, GCP).
-
Multicloud Defense Gateway to an ASA device hosted in CDO.
Multicloud Defense Gateway Prerequisites and Limitations
You must have the following prerequisites completed prior to creating a VPN tunnel regardless of the type of device or platform involved:
-
You must be running Multicloud Defense Gateway version 24.04 or version 24.04-01. This includes Terraform versions.
-
You must have VPN enabled in the gateway.
-
At least one cloud service provider or third party device already connected to Multicloud Defense.
-
Your cloud service provider or third party device must be configured to allow and create VPN tunnel connections. See the service or platform documentation for more information.
-
You must have at least one IPSec profile. This profile must be attached to the VPN tunnel connection.
-
The VPC and VNET must be deployed without Network Address Translation gateway on both sides.
-
(Optional) We recommend creating at least one BGP profile. This profile must be attached to the gateway instance associated with the VPN tunnel connection.
Be aware of the following limitations when creating a VPN tunnel connection:
-
The Multicloud Defense Gateway you select must be an egress/east-west gateway.
-
AWS and Azure gateways must be 8 core instance type. 2 core and 4 core are not suppoted at this time.
-
Site-to-site VPN connections only support to up 10 VPN peers.
-
VPCs and VNETs for either AWS or Azure environment must be created with a single availability zone. Multiple availability zones are not supported at this time.
-
Site-to-site VPN tunnels do not support forward-proxy firewall rules at this time.
-
Your bandwidth must be at least 800 Mbps.
![]() Note |
If you disable or enable a gateway, you must delete the site-to-site connection assocaited with the gateway and recreate the VPN connection. |
Limitations for VPN Tunnel Between Multicloud Defense and an ASA Device
Be aware of the following limitations when creating a VPN tunnel connection between the Multicloud Defense Gateway and an ASA device:
-
When choosing the endpoints for the VPN tunnel, ensure at least one endpoint is an ASA device and the one endpoint is an Multicloud Defense Gateway (step 4-6).
-
If you create a site-to-site VPN tunnel for a third-party or an on-premises device, the table of VPN connections only displays the status of the IPSec profile on Multicloud Defense's endpoint of the connection.
-
Autoscaling is not currently supported.
For more information on VPN Tunnels to an ASA device that is hosted in Cisco Defense Orchestrator, see ASA Site-to-Site VPN Configuration.
![]() Note |
If you are using a third-party device or an on-prem management center, only the Multicloud Defense's side of the IPSEC status is displayed at this time. |