All Products
Search
Document Center

VPN Gateway:CreateVpnRouteEntry

Last Updated:Jun 19, 2026

Creates a destination route for a VPN gateway instance. After the destination route is created, the VPN gateway instance matches the destination IP address of traffic against destination routes and forwards the traffic based on the matched destination route.

Operation description

Before you begin

  • Before you create a destination route, make sure that you have created an IPsec-VPN connection. For more information, see CreateVpnConnection.

  • Before you create a destination route, we recommend that you understand the matching rules of destination routes. For more information, see Configure destination routes.

Limits

  • Destination routes with a destination CIDR block of 0.0.0.0/0 are not supported.

  • Do not add destination routes with a destination CIDR block of 100.64.0.0/10, a subnet of 100.64.0.0/10, or a CIDR block that contains 100.64.0.0/10. Such routing entries may cause the console to fail to display the status of IPsec-VPN connections or cause IPsec-VPN connection negotiation to be failed.

  • The CreateVpnRouteEntry operation is asynchronous. After you invoke this operation, the system returns the destination route configuration, but the destination route has not been created yet. The background creation node is still in progress. You can invoke DescribeVpnGateway to query the creation status of the destination route:
    • If the VPN gateway instance is in the updating state, the destination route is being created.

    • If the VPN gateway instance is in the active state, the destination route has been created.

  • The CreateVpnRouteEntry operation does not support concurrent creation of destination routes for the same VPN gateway.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

vpc:CreateVpnRouteEntry

create

*VpnGateway

acs:vpc:{#regionId}:{#accountId}:vpngateway/{#VpnGatewayId}

None None

Request parameters

Parameter

Type

Required

Description

Example

RegionId

string

Yes

The region ID of the VPN gateway instance.

You can call the DescribeRegions operation to query the region ID.

cn-hangzhou

ClientToken

string

No

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters.

Note

If you do not specify this parameter, the system automatically uses the RequestId of the API request as the ClientToken. The RequestId may be different for each API request.

d7d24a21-f4ba-4454-9173-b3828dae****

VpnGatewayId

string

Yes

The instance ID of the VPN gateway.

vpn-bp1a3kqjiiq9legfx****

RouteDest

string

Yes

The destination CIDR block of the destination route.

10.0.0.0/24

NextHop

string

Yes

The next hop of the destination route.

vco-bp15oes1py4i66rmd****

Weight

integer

Yes

The weight of the destination routing entry.

When you use the same VPN gateway instance to establish active/standby IPsec-VPN connections, you can specify the active and standby links by configuring the weight of the destination routing entry. A destination routing entry with a weight of 100 is the active link by default, and a destination routing entry with a weight of 0 is the standby link by default.

You can configure health checks for the IPsec-VPN connection to automatically detect the connectivity of the link. If the active link is unavailable, the system automatically switches traffic to the standby link, ensuring high availability of the cloud connection. For more information, see CreateVpnConnection.

  • 100: The IPsec-VPN connection associated with the destination route serves as the active link.

  • 0: The IPsec-VPN connection associated with the destination route serves as the standby link.

Note
  • When you specify active and standby links, the active and standby destination routes must have the same destination CIDR block, different next hops, and different weights.

  • For VPN gateway instances that support dual-tunnel pattern IPsec-VPN connections, you do not need to configure this parameter. A dual-tunnel pattern IPsec-VPN connection contains two tunnels that automatically form active/standby links. You do not need to specify active/standby links by configuring this parameter. If you configure this parameter, the parameter settings do not take effect.

0

PublishVpc

boolean

Yes

Specifies whether to publish the destination route to the VPC. Valid values:

  • true: Publishes the destination route to the VPC. The system publishes the route only to the VPC system route table, not to VPC custom route tables.

    If you want the custom route table to contain this route, manually add the route. For more information, see CreateRouteEntry.

  • false: Does not publish the destination route to the VPC.

    You must manually add a destination route with the next hop pointing to the VPN gateway instance in both the VPC system route table and custom route tables. Otherwise, the VPC cannot access resources in the destination CIDR block through the IPsec-VPN connection.

true

Description

string

No

The description of the destination route.

The description must be 1 to 100 characters in length and cannot start with http:// or https://.

mytest

OverlayMode

string

No

The tunneling protocol. Set the value to Ipsec (IPsec tunneling protocol).

Ipsec

DryRun

boolean

No

Specifies whether to perform a dry run, without performing the actual request. Valid values:

  • true: performs only a dry run. The system checks the request for potential issues, including missing parameter values, incorrect request syntax, and service limits. If the request fails the dry run, an error code is returned. If the request passes the dry run, the DryRunOperation error code is returned.

  • false (default): performs a dry run and performs the actual request. If the request passes the dry run, an HTTP 2xx status code is returned and the operation is performed.

false

Response elements

Element

Type

Description

Example

object

The response parameters.

NextHop

string

The next hop of the destination route.

vco-bp15oes1py4i66rmd****

Weight

integer

The weight of the destination route. Valid values:

  • 100: The destination route has a high priority.

  • 0: The destination route has a low priority.

0

RouteDest

string

The destination CIDR block of the destination route.

10.0.0.0/24

RequestId

string

The request ID.

5BE01CD7-5A50-472D-AC14-CA181C5C03BE

Description

string

The description of the destination route.

mytest

State

string

The publish status of the destination route.

  • published: The destination route has been published to the route table of the VPC.

  • normal: The destination route has not been published to the route table of the VPC.

published

CreateTime

integer

The timestamp when the destination route was created. Unit: milliseconds.

The timestamp follows the UNIX timestamp format, which represents the total number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC.

1492747187000

OverlayMode

string

The tunneling protocol. Set the value to Ipsec (IPsec tunneling protocol).

Ipsec

VpnInstanceId

string

The instance ID of the VPN gateway.

vpn-bp1a3kqjiiq9legfx****

Examples

Success response

JSON format

{
  "NextHop": "vco-bp15oes1py4i66rmd****",
  "Weight": 0,
  "RouteDest": "10.0.0.0/24",
  "RequestId": "5BE01CD7-5A50-472D-AC14-CA181C5C03BE",
  "Description": "mytest",
  "State": "published",
  "CreateTime": 1492747187000,
  "OverlayMode": "Ipsec",
  "VpnInstanceId": "vpn-bp1a3kqjiiq9legfx****"
}

Error codes

HTTP status code

Error code

Error message

Description

400 Resource.QuotaFull The quota of resource is full
400 VpnGateway.Configuring The specified service is configuring.
400 VpnGateway.FinancialLocked The specified service is financial locked.
400 VpnRouteEntry.AlreadyExists The specified route entry is already exist. The route already exists.
400 VpnRouteEntry.Conflict The specified route entry has conflict. Route conflicts exist.
400 VpnRouteEntry.ConflictSSL The specified route entry has conflict with SSL client. The route conflicts with the SSL client.
400 VpnRouteEntry.BackupRoute Validate backup route entry failed. Active/standby routes failed authentication.
400 VpnRouteEntry.InvalidWeight Invalid route entry weight value. The weight specified for the route is invalid.
400 InvalidNextHop.NotFound The specified NextHop does not exist. The specified next hop does not exist.
400 IllegalParam.RouteDest The specified RouteDest is invalid The destination address is invalid.
400 OperationFailed.RouteConflict Operation failed because there is already a route in VPC route table to another VPN on the same network block. Operation failed because there is already a route in VPC route table to another VPN on the same network block.
400 OperationFailed.InvalidCidrBlock Operation failed because the specified network block is invalid. The CIDR block is invalid.
400 QuotaExceeded.VpnRouteEntry The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit. The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit.
400 TaskConflict The operation is too frequent, please wait a moment and try again. Your requests are too frequent. Try again later.
400 VpnTask.CONFLICT Vpn task has conflict. The VPN operation conflicts. Try again later.
400 IncorrectVpcStatus Current VPC status does not support this operation.
400 InternalError The request processing has failed due to some unknown error, exception or failure.
400 InvalidCidrBlock.Malformed Specified CIDR block is not valid.
400 DryRunOperation Request validation has been passed with DryRun flag set. The request passed the dry run.
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user.
403 Forbidden User not authorized to operate on the specified resource. You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404 InvalidVpnGatewayInstanceId.NotFound The specified vpn gateway instance id does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.