orchestrator
latest
false
UiPath logo, featuring letters U and I in white

Orchestrator user guide

Last updated Feb 18, 2026

Configuring VPN for cloud robots

You can create a VPN gateway for a tenant so that your VM cloud robots or serverless cloud robots can access your on-premises resources that are behind a firewall.

This page describes:
  • How the UiPath VPN Gateway works at a networking level.
  • How to plan CIDR ranges, routing, firewall rules, and DNS correctly.
  • How to configure site-to-site VPN connections, including static routing, BGP, and custom IPsec or IKE policies.

Prerequisites

Important:

Installing custom software on your VM, such as VPN clients, may interfere with core services and make the VM unusable. Use the configuration in this chapter instead.

To set up the VPN gateway, you must meet the following requirements:

  • Be an organization administrator in Automation CloudTM.
  • Have an Orchestrator role that includes the Machines - Edit permission.

  • Information required from your network administrator:

    • A list of reserved IP address ranges located in your on-premises network configuration, in CIDR notation. As part of configuration, you need to specify the IP address range prefixes that we will route to your on-premises location.

    • The private CIDRs you want UiPath to reach over the VPN (your on-premises networks).
    • A pre-shared key (PSK) for each VPN device.
      Important:

      The subnets of your on-premises network must not overlap with the virtual network subnets to which you want to connect.

    • Use compatible VPN devices and have the ability and know-how to configure them, as described in About VPN devices for connections - Azure VPN Gateway. For details on the default connection parameters, read the Default policies for Azure.
    • Your VPN device must use externally-facing, public IPv4 addresses.
    • Note:

      The pre-shared key should consist of a maximum 128 printable ASCII characters.

      Do not use space, hyphen -, or tilde ~ characters.

The VPN gateway workflow schema

This schema shows how the VPN connection is established betweenyour on-premises network and UiPath cloud robot networks.

Connecting to a VPN gateway allows VM-based cloud robots (ACR VM pools) and serverless robots to access restricted resources in your on-premises network.
Figure 1. VPN gateway workflow schema The VPN gateway workflow schema
The flow is as follows:
  1. Identify the on-premises CIDRs you want UiPath to reach (your internal private address ranges). These are the CIDRs that must be reachable through the VPN.

  2. In your local network, provide the IP ranges of the ACR-VM pools (6, 7) to allow their traffic into the network.

  3. Create the UiPath VPN Gateway network (Gateway subnet CIDR). This network hosts the VPN gateway resources only (tunnel endpoints and BGP peering).
    • Minimum supported: /27
    • Recommended: /25 or larger
    • Private endpoints require /25 or larger
    • Cannot be changed after creation
  4. UiPath creates a public IP for the VPN Gateway. Your on-premises VPN device uses this public IP as the remote peer. BGP Peer Address and ASN will also be available once provisioning is complete.
  5. Create a site-to-site tunnel between your on-premises VPN device public IP and the UiPath VPN Gateway public IP.
  6. Routing is established (static or BGP):
    • Static routing (BGP disabled on the connection): you enter the on-premises CIDRs on the connection; only those ranges are routed to on-premises.
    • Dynamic routing (BGP enabled on the connection): routes are exchanged dynamically.
  7. Robot traffic originates from robot CIDRs, not the gateway CIDR:
    • Each ACR VM pool CIDR (each pool has its own CIDR).
    • The single Serverless robot CIDR (one per tenant).
  8. Your on-premises firewall (and any intermediate firewalls) must allow inbound from the robot CIDRs to the on-prem resources, and ensure return routing back to those robot CIDRs (static routes or BGP).
Important:

The VPN Gateway does not perform NAT. CIDRs must be non-overlapping, and source IPs must be routable both ways.

Step 1. Create the VPN gateway

To create a VPN gateway for a tenant:

  1. In Automation CloudTM, go to Admin.

    If not already enabled, enable the new Admin experience using the toggle from the header.

  2. From the Tenants panel on the left side, select the tenant for which you want to create a VPN gateway.

    The settings page for the selected tenant opens.

  3. Select the VPN Gateway tile.
  4. Select Create gateway for Tenant. The Create gateway panel opens
  5. In the Name field, type a name for the gateway, as you want it to be displayed in the tenant's VPN Gateway page.
  6. In the Address space for VPN gateway vnet field, add the IP addresses you obtained from your network administrator.
    • Use CIDR notation
    • Minimum supported: /27
    • Recommended: /25 or larger (private endpoints require /25 or larger)
    • Cannot be modified after creation
    Important:
    • Vnet ranges for the gateway or for the VM pool cannot be modified once created.
    • Even if you assign a CIDR block to the VPN gateway network (for example, /25), traffic from machine pools or serverless machine templates with VPN enabled will not originate from this CIDR.

      The actual source IP addresses used for outgoing traffic are those of the CIDRs assigned to the individual machine pool or serverless template.

      Make sure to allow traffic from the CIDRs of your machine pools or serverless templates, not from the VPN gateway network's CIDR.

  7. (Optional) If you want to use a DNS for this connection, select Add DNS Address and then:
    1. In the DNS Address field, add a DNS address.
    2. To add additional DNS addresses, select Add more to add another field and then add the address to that field.
      Note: You can add DNS addresses later, after the VPN gateway is created, but that requires that you restart all VMs that are connected to the gateway.
  8. Select Create at the bottom of the panel to create the VPN gateway connection.

The panel closes and the VPN gateway status is Provisioning.

When complete, the status Deployed is displayed on the card of the gateway.

Note: If the status is Failed, delete the gateway and re-create it by following the previous instructions.

Step 2. Create cloud robot templates

Note: The VPN gateway must show the Deployed status before you can perform this step.

The Vnet for a cloud robot template is created when each template is created.

Cloud robots - VM

In Orchestrator, create one or more Cloud robot - VM pools, following the instructions in Creating the cloud robot pool . During setup, make sure to select the Connect VPN Gateway option.

For each pool, you can monitor the VPN status from the Machines > Manage Cloud Robot - VM page.

Note:

Existing Cloud robot - VM pools cannot connect to the VPN gateway. You must create new ones.

Additionally, for pools that were set up to connect to the tenant's VPN gateway, you have the option to edit the pool and switch off the Enable VPN Integration toggle to disconnect the pool. Once disconnected, you cannot reconnect the pool to the VPN gateway.

Cloud robots - serverless

In Orchestrator, edit or create Cloud robot - Serverless templates, following the instructions in Automation Cloud™ robots - Serverless . During setup, make sure to configure options on the Network Configuration page.

Step 3. Creating the site-to-site connection

With the VPN gateway deployed, you can now connect your on-premises networks to it.

The gateway card displays the public IP address, which is an essential information for the tunnel configuration.

To configure the VPN gateway to connect to a VPN device:

  1. In Automation CloudTM, go to Admin > Tenant > VPN Gateway.
  2. On the tile for the gateway, select Add connection.

    The Create connection panel opens.

  3. Provide values for the following fields:
    OptionDescription

    Connection name *

    Provide a name for your connection.

    Shared key (PSK) *

    Write a secret phrase or string. You need to remember this exact key and provide it when you configure the connection on your on-premises device.

    Public IP for the VPN device *

    Provide the public IP address of your on-premises VPN device. Important: Do not provide the public IP address of the VPN gateway shown on the card. That gateway public IP must be configured on your on-premises device as the remote peer.

  4. Choose the routing type for this connection between Static routing (BGP disabled) or Dynamic routing (BGP enabled).
    A single UiPath VPN gateway can host a mix of BGP and non-BGP connections.
    1. Static routing (BGP disabled)
      If BGP is disabled on the connection, you must configure which on-premises CIDRs UiPath should route to.

      Address space for the on-premises device *: specify all private CIDRs on your on-premises network that must be reachable through this connection. Only these ranges are routed to your on-prem via this tunnel.

      Note:

      If you configured DNS server IP addresses on the gateway, ensure those DNS IPs fall within one of the on-prem CIDRs defined here (so the gateway can reach them through the tunnel).

    2. Dynamic routing (BGP enabled)
      If BGP is enabled on the connection:
      • Routes are exchanged dynamically.
      • UiPath advertises:
        • All ACR VM pool CIDRs
        • The serverless robot CIDR
      • Your on-premises device advertises its on-prem CIDRs.
      Provide values for the following fields:
      • On-premises ASN: the ASN used by your on-premises VPN device.
      • BGP peer address: the IP address used by your on-premises device for BGP peering.

      If either value is missing or incorrect, BGP will not establish.

  5. Optionally, you can define custom configurations for the IPSec/IKE policy. Use this section to ensure compatibility with the specific security settings required by your on-premises VPN device, or to implement advanced security policies tailored to your organization needs. To do this, turn on the Custom IPSec/IKE policy toggle.
    Note: Only IKEv2 is supported.
    1. For IKE Phase 1, provide values for the following fields:
      Encryption *

      Provide the matching encryption method for the initial secure key exchange (IKE Phase 1). This must be identical to the UiPath Gateway setting (for example, AES-256, GCMAES).

      Possible values: GCMAES256, GCMAES128, AES256, AES192, AES128

      Integrity *

      Provide the matching data integrity check for the initial IKE Phase 1 communication (for example, SHA-256, SHA-512). This must match the UiPath Gateway.

      Possible values: SHA384, SHA256, SHA1, MD5

      DH Group *

      Provide the matching Diffie-Hellman (DH) group for the secure key exchange in IKE Phase 1 (for example, Group 14, Group 19). This must match the UiPath Gateway.

      Possible values: DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2, DHGroup1, None

    2. For IKE Phase 2 (IPSec), provide values for the following fields:
      IPsec Encryption *

      Provide the matching encryption method for data traffic within the VPN tunnel (IPSec Phase 2) (for example, AES-256, 3DES). This must match the UiPath Gateway.

      Possible values: GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None

      IPsec Integrity *

      Provide the matching data integrity check for traffic within the VPN tunnel (IPSec Phase 2) (for example, SHA-256, SHA-512). This must match the UiPath Gateway.

      Possible values: GCMAES256, GCMAES192, GCMAES128, SHA256, SHA1, MD5

      PFS Group *

      Provide the matching Perfect Forward Secrecy (PFS) group for IPSec Phase 2, if enabled on the UiPath Gateway (for example, Group 14, Group 19). If one side uses PFS, the other should match or disable it.

      Possible values: PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None

      IPSec SA lifetime in Kilobytes *

      Provide the duration for active secure connections (IKE and IPSec). These are local settings; matching is not strictly required, but similar values are recommended for consistency.

      Possible values: minimum 1,024, default 10,2400,000

      IPsec SA lifetime in seconds *

      Provide the duration for active secure connections (IKE and IPSec). These are local settings; matching is not strictly required, but similar values are recommended for consistency.

      Possible values: minimum 300, default 27,000

  6. Select Add connection. Once the configuration is complete, it may take some time for the connection status to update to Connected.

The panel closes and the new connection is displayed on the Connections page. The connection is ready to use when the Connection status column displays Connected.

A Connected status means the Pre-Shared Key (PSK), peer Public Internet Protocol (IP) address, and IPSec/IKE Policy parameters are configured correctly, and an encrypted tunnel exists.

Note: If the connection status is Connection failed, you must delete the connection and create it again.

To add more connections, on the Connections page, select Create connection.

Note: You can add up to 25 connections.

Step 4. Setting up VPN devices

Your network administrator can now:

  1. Set up your VPN device from your on-premise network.

    The PSK must match the one specified for the connection created in step 3.

  2. Add the address spaces used to configure the VPN gateway and Vnets for cloud robot templates to the allow list of your network.

For a list of supported VPN devices and for RouteBased configuration instructions, refer to About VPN devices for connections - Azure VPN Gateway in the Microsoft documentation.

Frequently asked questions

Data residency

The VPN gateway for a tenant is automatically created in the same region as the region of the tenant and you cannot change the region.

Switching to a different region

If a VPN gateway already exists and you chose to move your tenant to a different region, you can either:

  • continue to use the gateway in the old region or
  • delete the existing VPN gateway and create a new one, which is created in the current region of the tenant.

Data retention

If you disable a tenant that has a VPN gateway, you have a 60-day grace period before you lose access to your VPN device. After 60 days, your VPN gateway is permanently deleted from your tenants.

If you re-enable the tenant within 60 days, your VPN gateway is not deleted and available for use.

License expiration

If your robot units have expired, you have a 60-day grace period before you lose access to your VPN device. After 60 days, your VPN gateway is permanently deleted from your tenants.

Troubleshooting VPN connections

If a connection is Connected, but you cannot access the resources, check:

  • Address Space Configuration—Ensure defined address spaces on both ends are correct and non-overlapping for proper routing.

  • DNS Resolution—Confirm the gateway and connected devices resolve necessary domain names. Verify DNS server configurations and reachability.

  • Firewall Rules—Review firewall rules on both the gateway and on-premises network; ensure traffic flows on required ports and protocols within defined address spaces.

Was this page helpful?

Support and Services
Get The Help You Need
UiPath Academy
Learning RPA - Automation Courses
UiPath Forum
UiPath Community Forum
Uipath Logo
Trust and Security
Terms of Use
Privacy Policy
Cookies Policy
© 2005-2026 UiPath. All rights reserved.