A VPN gateway connects your VPC to an on-premises data center. Create one before setting up an IPsec-VPN connection.
Features
-
A VPN gateway is the cloud-side endpoint of an encrypted tunnel. Create one before setting up an IPsec-VPN connection.
-
Associate the VPN gateway with a VPC and specify two vSwitches in different availability zones for zone-level disaster recovery.
In single-zone regions, zone-level disaster recovery is not available. Specify two different vSwitches in the same zone for high availability.
-
After creation, an ENI is created in each specified vSwitch to route VPN-to-VPC traffic, consuming one private IP address each. Ensure adequate IP availability in both vSwitches.
Create a VPN gateway
VPN gateways come in two types: enhanced and standard. Enhanced vs. standard VPN gateways.
Enhanced VPN gateway (console)
The enhanced VPN gateway was released in February 2024 and is currently in public preview. To use it, request access from an Alibaba Cloud engineer.
Supported regions: Malaysia (Kuala Lumpur), UK (London), China (Chengdu), US (Virginia), US (Silicon Valley), China (Hong Kong), and Singapore.
Go to the VPN Gateway page in the console. On the Enhanced IPsec-VPN tab, click Create Enhanced IPsec-VPN and configure the following parameters:
-
Region: Select your VPC region.
-
VPC: Select your VPC.
-
vSwitch 1 and vSwitch 2: Select two vSwitches in different availability zones for high availability.
The region has one availability zone and does not support zone-level disaster recovery. Specify two different vSwitches in the same zone for high availability.
Standard VPN gateway (console)
Go to the VPN Gateway page in the console. On the Standard VPN Gateway tab, click Create VPN Gateway and configure the following parameters:
If the Standard VPN Gateway tab is not available, click Create VPN Gateway.
-
Region and Availability Zone: Select your VPC region.
-
Gateway Type: Select Standard. Uses standard commercial cryptographic algorithms.
-
Network Type: Select Public to assign a public IP for the IPsec-VPN connection. For private connections, use a private IPsec-VPN connection and associate it with a Transit Router.
-
Tunnels: Select Dual-tunnel.
-
VPC and vSwitch: Select your VPC and two vSwitches in different availability zones for high availability. vSwitches cannot be changed after creation.
-
Peak Bandwidth: Bandwidth varies by region. At 5 or 10 Mbps, peak inbound bandwidth is capped at 10 Mbps. For more information, see Quotas and limitations.
-
Enable IPsec-VPN and disable SSL-VPN.
To enable IPsec-VPN later, locate the VPN gateway and click Enable next to IPsec Connections in the Feature Configuration column.
Enabling IPsec-VPN on an existing VPN gateway incurs prorated charges for the remainder of the billing cycle.
-
Subscription Duration:
Default: Pay-As-You-Go.
API
-
Call CreateEnhancedVpnGateway to create an enhanced VPN gateway.
ImportantThe enhanced VPN gateway was released in February 2024 and is currently in public preview. To use it, request access from an Alibaba Cloud engineer.
Supported regions: Malaysia (Kuala Lumpur), UK (London), China (Chengdu), US (Virginia), US (Silicon Valley), China (Hong Kong), and Singapore.
-
Call the CreateVpnGateway operation to create a standard VPN gateway.
Next steps
After creation:
-
Create a customer gateway to register your on-premises gateway IP address and BGP ASN.
-
Create an IPsec-VPN connection: Create an encrypted IPsec tunnel between your VPN gateway and on-premises device.
Upgrade a VPN gateway (standard type only)
If your standard VPN gateway is not the latest version, upgrade it for the latest features and fixes.
This is a version upgrade, not a migration to an enhanced VPN gateway. To use an enhanced VPN gateway, create a new one.
-
Look for the Upgrade button on the VPN gateway details page. Newly purchased gateways are already up to date.
-
Upgrade impact:
-
The upgrade takes about 10 minutes.
ImportantDuring the upgrade, the VPN gateway is unavailable and connections are interrupted. Schedule the upgrade during a maintenance window.
-
The upgrade is free of charge.
-
-
Upgrade limitations:
-
If no IPsec-VPN connections exist, the configuration remains unchanged.
-
If IPsec-VPN connections exist:
-
Connections using IKEv1 with multiple CIDR blocks must switch to IKEv2 or be split into separate connections.
-
Gateways created before March 21, 2019 that have not been upgraded require you to manually configure routes after the upgrade.
-
Otherwise, the connection configuration remains unchanged.
-
-
Console
-
Log on to the VPN Gateway console. Select the region of your VPN gateway in the top navigation bar.
-
Click the VPN gateway ID, then click Upgrade.
Delete a VPN gateway
Enhanced VPN gateway (console)
Click Delete in the Actions column of the target VPN gateway.
Before deleting, ensure the VPN gateway has no associated IPsec-VPN connections, SSL servers, or IPsec servers.
Standard VPN gateway (console)
Before deleting, ensure the VPN gateway has no associated IPsec-VPN connections, SSL servers, or IPsec servers.
In the Actions column of the target VPN gateway, click Delete.
API
-
Enhanced: Call DeleteEnhancedVpnGateway.
-
Standard: Call the DeleteVpnGateway operation to delete the gateway.
Quotas and limitations
Enhanced VPN gateway
-
Standard VPN gateways cannot be migrated to enhanced. Create a new enhanced VPN gateway instead.
-
Enhanced VPN gateways do not support decrypted IP fragments.
-
Adding a route to an enhanced VPN gateway may take up to 30 seconds to redirect traffic. Route modifications and deletions take effect immediately.
-
If a single tunnel receives more than 2,000 BGP routes, the gateway stops learning routes on that tunnel.
-
Additional limits: Quotas and limitations.
Standard VPN gateway
-
Maximum peak bandwidth varies by region.
Peak bandwidth
Region
1,000 Mbps
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Thailand (Bangkok), South Korea (Seoul), Philippines (Manila), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), Mexico
500 Mbps
UAE (Dubai), SAU (Riyadh)
region supports VPN gateway instances with a peak bandwidth of 200 Mbps.
The SAU (Riyadh) region is operated by a partner.
-
New VPN gateways default to dual-tunnel mode. Existing gateways default to single-tunnel mode; upgrade to dual-tunnel for higher availability.
-
Inbound and outbound bandwidth limits depend on the tunnel mode and specified peak bandwidth.
IPsec-VPN tunnel mode
Peak bandwidth
Peak outbound bandwidth
Peak inbound bandwidth
Dual-tunnel
> 10 Mbps
The peak bandwidth of the standard VPN gateway.
The peak bandwidth of the standard VPN gateway.
≤ 10 Mbps
The peak bandwidth of the standard VPN gateway.
10 Mbps
Single-tunnel
> 100 Mbps
The peak bandwidth of the standard VPN gateway.
The peak bandwidth of the standard VPN gateway.
≤ 100 Mbps
The peak bandwidth of the standard VPN gateway.
100 Mbps
-
Additional limits: Quotas and limitations.