ALIYUN::VPC::VpnConnection is used to call the CreateVpnConnection operation to create an IPsec connection.

Syntax

{
  "Type": "ALIYUN::VPC::VpnConnection",
  "Properties": {
    "IpsecConfig": Map,
    "Name": String,
    "IkeConfig": Map,
    "HealthCheckConfig": Map,
    "VpnGatewayId": String,
    "CustomerGatewayId": String,
    "RemoteSubnet": String,
    "LocalSubnet": String,
    "EffectImmediately": Boolean
  }
}

Properties

Name Type Required Editable Description Validity
Name String No Yes The name of the IPsec connection. The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-). It must start with a letter and cannot start with http:// or https://. None.
IkeConfig Map No Yes The configurations for phase one negotiation. None.
IpsecConfig Map No Yes The configurations for phase two negotiation. None.
HealthCheckConfig Map No No The health check configurations. None.
VpnGatewayId String Yes No The ID of the VPN gateway. None.
CustomerGatewayId String Yes No The ID of the customer gateway. None.
RemoteSubnet String Yes Yes The CIDR block of the on-premises data center. This parameter is used for phase two negotiation. Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. None.
LocalSubnet String Yes Yes The CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation. Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. None.
EffectImmediately Boolean No Yes Specifies whether to delete a successfully negotiated IPsec-VPN tunnel and initiate a negotiation again. Valid values:
  • true: starts the negotiation immediately after the configuration is complete.
  • false: starts the negotiation only when traffic is detected in the tunnel.
Default value: false.
None.

IkeConfig syntax

"IkeConfig": {
  "RemoteId": String,
  "Psk": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeAuthAlg": String,
  "IkeEncAlg": String,
  "IkePfs": String,
  "IkeLifetime": Integer,
  "LocalIdIPsec": String
}

IkeConfig Properties

Name Type Required Editable Description Validity
RemoteId String No Yes The ID of the customer gateway. The default value is the public IP address of the customer gateway. The value can be up to 100 characters in length.
Psk String No Yes The pre-shared key used for the authentication between the VPN gateway and the customer gateway. By default, the parameter value is generated randomly. You can also specify a pre-shared key. The key can be up to 100 characters in length.
IkeVersion String No Yes The version of the IKE protocol. Default value: ikev1. Valid values: ikev1 and ikev2.
IkeMode String No Yes The negotiation mode of IKE version 1. Default value: main. Valid values: main and aggressive.
IkeAuthAlg String No Yes The authentication algorithm used by phase one negotiation. Default value: md5. Valid values: md5 and sha1.
IkeEncAlg String No Yes The encryption algorithm used by phase one negotiation. Default value: aes. Valid values: aes, aes192, aes256, des, and 3des.
IkePfs String No Yes The Diffie-Hellman key exchange algorithm used by phase one negotiation. Default value: group2. Valid values: group1, group2, group5, group14, and group24.
IkeLifetime Long No Yes The SA lifecycle resulting from phase one negotiation. Default value: 86400. Valid values: 0 to 86400.
LocalIdIPsec String No Yes The ID of the VPN gateway. The default value is the public IP address of the VPN gateway. The value can be up to 100 characters in length.

IpsecConfig syntax

"IpsecConfig": {
  "IpsecAuthAlg": String,
  "IpsecEncAlg": String,
  "IpsecLifetime": Integer,
  "IpsecPfs": String
}

IpsecConfig Properties

Name Type Required Editable Description Validity
IpsecAuthAlg String No Yes The authentication algorithm used by phase two negotiation. Default value: md5. Valid values: md5 and sha1.
IpsecEncAlg String No Yes The encryption algorithm used by phase two negotiation. Default value: aes. Valid values: aes, aes192, aes256, des, and 3des.
IpsecLifetime Long No Yes The SA lifecycle resulting from phase two negotiation. Unit: seconds. Default value: 86400. Valid values: 0 to 86400.
IpsecPfs String No Yes The Diffie-Hellman key exchange algorithm used by phase two negotiation. This parameter is specified to forward packets of all protocols. Default value: group2. Valid values: group1, group2, group5, group14, and group24.

HealthCheckConfig Properties

Name Type Required Editable Description Validity
Enable Boolean No Yes Specifies whether to enable health check. If this parameter is set to true, other parameters must be specified. Valid values: true and false.
Interval Integer No Yes The time interval of health check retries. Unit: seconds. None.
Retry Integer No Yes The number of times to attempt to resend health check packets. None.
Dip Boolean No Yes The IP address of the on-premises data center that can be accessed through the IPsec connection. None.
Sip String No Yes The IP address that the on-premises data center can access through the IPsec connection. None.

Response parameters

Fn::GetAtt

  • VpnConnectionId: the ID of the IPsec connection.
  • Status: the status of the IPsec connection.
  • PeerVpnConnectionConfig: the configurations of the peer connection between VPCs.

Examples

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Resources": {
    "VpnConnection": {
      "Type": "ALIYUN::VPC::VpnConnection",
      "Properties": {
        "IpsecConfig": {
          "Ref": "IpsecConfig"
        },
        "Name": {
          "Ref": "Name"
        },
        "IkeConfig": {
          "Ref": "IkeConfig"
        },
        "HealthCheckConfig": {
          "Ref": "HealthCheckConfig"
        },
        "VpnGatewayId": {
          "Ref": "VpnGatewayId"
        },
        "CustomerGatewayId": {
          "Ref": "CustomerGatewayId"
        },
        "RemoteSubnet": {
          "Ref": "RemoteSubnet"
        },
        "LocalSubnet": {
          "Ref": "LocalSubnet"
        },
        "EffectImmediately": {
          "Ref": "EffectImmediately"
        }
      }
    }
  },
  "Parameters": {
    "IpsecConfig": {
      "Type": "Json",
      "Description": "Configuration information for the second phase negotiation."
    },
    "Name": {
      "MinLength": 2,
      "Type": "String",
      "Description": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// .",
      "MaxLength": 128
    },
    "IkeConfig": {
      "Type": "Json",
      "Description": "Configuration information for the first phase of negotiation."
    },
    "HealthCheckConfig": {
      "Type": "Json",
      "Description": "Whether to enable the health check configuration."
    },
    "VpnGatewayId": {
      "Type": "String",
      "Description": "ID of the VPN gateway."
    },
    "CustomerGatewayId": {
      "Type": "String",
      "Description": "The ID of the user gateway."
    },
    "RemoteSubnet": {
      "Type": "String",
      "Description": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
    },
    "LocalSubnet": {
      "Type": "String",
      "Description": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
    },
    "EffectImmediately": {
      "Default": false,
      "Type": "Boolean",
      "Description": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters.",
      "AllowedValues": [
        "True",
        "true",
        "False",
        "false"
      ]
    }
  },
  "Outputs": {
    "VpnConnectionId": {
      "Description": "ID of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "VpnConnectionId"
        ]
      }
    },
    "Status": {
      "Description": "Status of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "Status"
        ]
      }
    },
    "PeerVpnConnectionConfig": {
      "Description": "Peer vpc connection config.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "PeerVpnConnectionConfig"
        ]
      }
    }
  }
}