All Products
Search
Document Center

VPN Gateway:Create and manage a VPN gateway

Last Updated:Aug 22, 2023

Before you can establish a VPN connection, you must first create a VPN gateway. This topic describes how to create, modify, and delete a VPN gateway.

Background information

VPN gateways support different network types. VPN gateways of different network types establish encrypted channels by using different methods and meet different business requirements.
Type of VPN gatewaySupported network typeSupported connection typeMethod of establishing encrypted tunnelsScenarioReferences
Standard VPN gatewayPublic
  • IPsec-VPN
  • SSL-VPN
Encrypted tunnels are established based on the Internet. Standard international algorithms are used for encryption. This type is ideal for connecting enterprise data centers, office networks, or Internet clients to VPCs. Associate IPsec-VPN connections with VPN gateways
PrivateIPsec-VPNEncrypted tunnels are established based on private connections over Express Connect circuits. Standard international algorithms are used for encryption. This type is ideal for encrypting private connections over Express Connect circuits between data centers or office networks and VPCs.

Limits

  • Private VPN gateways are in invitational preview. To use a private VPN gateway, contact your account manager or submit a ticket.
  • The maximum bandwidth supported by VPN gateway varies across different regions. The maximum bandwidth in some regions can reach 1000 Mbit/s.

    Click to view the maximum bandwidth supported by VPN gateways in each region.

    Type

    Region

    1,000 Mbit/s

    China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), US (Virginia), Germany (Frankfurt), and UK (London)

    200 Mbit/s

    China (Nanjing-Local Region), Japan (Tokyo), Thailand (Bangkok), South Korea (Seoul), Philippines (Manila), India (Mumbai), Australia (Sydney), US (Silicon Valley), and UAE (Dubai)

Create a VPN gateway

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region where you want to create the VPN gateway.

    Make sure that the VPN gateway and the virtual private cloud (VPC) with which you want to associate the VPN gateway are deployed in the same region.

  3. On the VPN Gateways page, click Create VPN Gateway.
  4. On the buy page, configure the parameters described in the following table, click Buy Now, and then complete the payment.
    ParameterDescription
    NameEnter a name for the VPN gateway.
    RegionSelect the region where you want to deploy the VPN gateway.

    The VPN gateway must belong to the same region as the VPC that you want to associate with the VPN gateway.

    Gateway TypeSelect the type of VPN gateway that you want to create. Default value: Standard.
    Network TypeSelect a network type for the VPN gateway.
    • Public: The VPN gateway can be used to establish VPN connections over the Internet.
    • Private: The VPN gateway can be used to establish VPN connections over private networks.
    TunnelsThe supported tunnel modes are automatically displayed.
    • Single-tunnel
    • Dual-tunnel

    For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

    VPCSelect the VPC with which you want to associate the VPN gateway.
    VSwitchSelect a vSwitch from the selected VPC.
    • If you select Single-tunnel, you need to specify one vSwitch.
    • If you select Dual-tunnel, you need to specify two vSwitches.
    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.
    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
    vSwitch 2If you select Dual-tunnel, you need to specify another vSwitch in the VPC.
    • The two vSwitches must be in different zones to implement zone disaster recovery.
    • For a region that supports only one zone, zone disaster recovery is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can select the same vSwitch as the first one.
    Maximum BandwidthSpecify the maximum bandwidth of the VPN gateway. Unit: Mbit/s.
    TrafficSelect a metering method for the VPN gateway. Default value: Pay-by-data-transfer.
    IPsec-VPNSpecify whether to enable IPsec-VPN for the VPN gateway. Default value: Enable.

    You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between two VPCs.

    SSL-VPN

    Specify whether to enable SSL-VPN for the VPN gateway. Default value: Disable.

    SSL-VPN allows you to establish secure connections between clients and servers without the need to deploy customer gateways. For example, you can establish SSL-VPN connections between Linux clients and VPCs.

    SSL ConnectionsSelect the number of clients to be connected at the same time.
    Note This parameter is valid only if you enable SSL-VPN.
    Duration

    Select a billing cycle. Default value: By Hour.

    Service-linked RoleClick Create Service-linked Role and the system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes the service-linked role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, it indicates that the service-linked role is created, and you do not need to create it again.

Modify the name and description of a VPN gateway

  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
  4. In the Information section of the details page of the VPN gateway, modify the name and description of the VPN gateway.
    • Click Edit next to Name. In the dialog box that appears, modify the name of the VPN gateway and click OK.
    • Click Edit next to Description. In the dialog box that appears, modify the description and click OK.

Delete a VPN gateway

Before you delete a VPN gateway, make sure that no IPsec-VPN connection, SSL server, or IPsec server exists on the VPN gateway. For more information, see the following topics:
  1. Log on to the VPN Gateway console.
  2. In the top navigation bar, select the region of the VPN gateway.
  3. On the VPN Gateways page, find the VPN gateway and click Delete in the Actions column.
  4. In the Delete VPN Gateway message, click OK.

References