All Products
Search
Document Center

Virtual Private Cloud:CreateVpnGateway

Last Updated:Dec 01, 2023

Creates a VPN gateway.

Operation Description

  • Before you create a VPN gateway, we recommend that you know more about the limits of VPN gateways. For more information, see the Limits section in the "Create and manage a VPN gateway" topic.

  • VPN gateways in some regions support only IPsec-VPN connections in dual-tunnel mode. If you call CreateVpnGateway in these regions, you must specify VSwitchId and DisasterRecoveryVSwitchId in addition to the required parameters. For more information about the regions and zones that support the IPsec-VPN connections in dual-tunnel mode, see IPsec-VPN connections support the dual-tunnel mode.

  • CreateVpnGateway is an asynchronous operation. After you send a request to call this operation, the system returns a request ID and the endpoint service is being created in the backend. You can call DescribeVpnGateway to query the status of a VPN gateway.

    • If the VPN gateway is in the provisioning state, the VPN gateway is being created.
    • If the VPN gateway is in the active state, the VPN gateway is created.

debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

debugging

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:CreateVpnGatewayWrite
  • VpnGateway
    acs:vpc:{#regionId}:{#accountId}:vpngateway/*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The region ID of the VPN gateway. You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
NamestringNo

The name of the VPN gateway. The default value is the ID of the VPN gateway.

The name must be 2 to 100 characters in length and cannot start with http:// or https://. It must start with a letter and can contain letters, digits, underscores (_), hyphens (-), and periods (.). Other special characters are not supported.

MYVPN
VpcIdstringYes

The ID of the virtual private cloud (VPC) where you want to create the VPN gateway.

vpc-bp1ub1yt9cvakoelj****
InstanceChargeTypestringNo

The billing method of the VPN gateway. Set the value to POSTPAY, which specifies the pay-as-you-go billing method.

Example value for the Alibaba Cloud China site: PREPAY. Example value for the Alibaba Cloud International site: POSTPAY.
PeriodintegerNo

The subscription duration. Unit: month. Valid values: 1 to 9, 12, 24, and 36.

1
AutoPaybooleanNo

Specifies whether to enable automatic payment for the VPN gateway. Valid values:

  • true
  • false (default)
false
BandwidthintegerYes

The maximum bandwidth of the VPN gateway. Unit: Mbit/s.

  • If you want to create a public VPN gateway, valid values are 10, 100, 200, 500, and 1000.
  • If you want to create a private VPN gateway, valid values are 200 and 1000.
Note The maximum bandwidth supported by VPN gateways in some regions is 200 Mbit/s. For more information, see VPN gateway limits.
5
EnableIpsecbooleanNo

Specifies whether to enable the IPsec-VPN feature. Valid values:

  • true (default)
  • false
true
EnableSslbooleanNo

Specifies whether to enable the SSL-VPN feature for the VPN gateway. Valid values:

  • true
  • false (default)
false
SslConnectionsintegerNo

The maximum number of clients that can be connected at the same time. Valid values: 5 (default), 10, 20, 50, 100, 200, 500, and 1000.

5
VSwitchIdstringNo

The vSwitch with which you want to associate the VPN gateway.

  • If you call this operation in a region that supports the IPsec-VPN connections in dual-tunnel mode, this parameter is required. You must specify a vSwitch and specify DisasterRecoveryVSwitchId.
  • If you call this operation in a region that supports the IPsec-VPN connections in single-tunnel mode and do not specify a vSwitch, the system automatically specifies a vSwitch.
vsw-bp1j5miw2bae9s2vt****
VpnTypestringNo

The type of the VPN gateway. Valid values:

Set the value to Normal (default), which specifies a standard NAT gateway.

Normal
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request.

You can use the client to generate a value, and you must make sure that each request has a unique token value. The client token can contain only ASCII characters.

Note If you do not specify this parameter, the system automatically uses the value of RequestId as the value of ClientToken. The value of RequestId for each API request is different.
02fb3da4****
NetworkTypestringNo

The network type of the VPN gateway. Valid values:

  • public (default)
  • private
public
DisasterRecoveryVSwitchIdstringNo

The second vSwitch with which you want to associate the VPN gateway.

  • If you call this operation in a region that supports the IPsec-VPN connections in dual-tunnel mode, this parameter is required.
  • You need to specify two vSwitches in different zones in the virtual private cloud (VPC) that is associated with the VPN gateway to implement disaster recovery across zones.
  • For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability. You can specify the same vSwitch.

For more information about the regions and zones that support the IPsec-VPN connections in dual-tunnel mode, see IPsec-VPN connections support the dual-tunnel mode.

vsw-p0wiz7obm0tbimu4r****
ResourceGroupIdstringNo

The ID of the resource group to which the VPN gateway belongs.

  • You can call the ListResourceGroups operation to query the resource group list.

  • If you do not specify a resource group, the VPN gateway will belong to the default resource group after being created.

  • After the VPN gateway is created, if you create an SSL server, SSL client certificate, IPsec server, or IPsec-VPN connection under the VPN gateway (when the IPsec-VPN connection is bound to the VPN gateway), these resources directly belong to the resource group to which the VPN gateway belongs and cannot be modified.

    If you change the resource group to which the VPN gateway belongs, the resource group to which the resource belongs will also be changed.

rg-acfmzs372yg****

Response parameters

ParameterTypeDescriptionExample
object

The returned data.

VpnGatewayIdstring

The ID of the VPN gateway.

vpn-uf68lxhgr7ftbqr3p****
RequestIdstring

The request ID.

EB2C156A-41F8-49CC-A756-D55AFC8BFD69
Namestring

The name of the VPN gateway.

MYVPN
OrderIdlong

The order ID.

If automatic payment is disabled, you must manually complete the payment for the VPN gateway in the Alibaba Cloud Management console.

208240895400460

Examples

Sample success responses

JSONformat

{
  "VpnGatewayId": "vpn-uf68lxhgr7ftbqr3p****",
  "RequestId": "EB2C156A-41F8-49CC-A756-D55AFC8BFD69",
  "Name": "MYVPN",
  "OrderId": 208240895400460
}

Error codes

HTTP status codeError codeError messageDescription
400InvalidVpcId.NotFoundThe specified VPC id does not exist in our records.-
400InvalidNameThe specified value of Name not supported.-
400InvalidSpec.NotFoundThe specified Spec does not exist in our records.-
400InvalidPeriodThe specified period is not valid-
400ChargeType.NotSupportThe specified charge type is not support.-
400InventoryNotEnoughThe inventory is not enough.-
400UnnecessarySslConnectionThe SSL connection is unnecessary for ssl vpn disabled.-
400InvalidVpnEnableEither IPsec or SSL VPN must be set enable.-
400Resource.QuotaFullThe quota of resource is fullThe resource quota is exhausted.
400InvalidVSwitchId.NotFoundThe specified vswitchId is not found.-
400OperationFailed.InventoryNotEnoughNo enough available resource. Try another vswitch with different available zone.-
400Forbidden.OperateShareResourceOperating shared resources is forbidden.-
400OperationFailed.IpNotEnoughOperation failed because private ip address of the virtual switch is not enough.-
400Forbidden.NoSLRPermissionUser not authorized to create service linked role.-
400OperationFailed.VSwitchConflictThe vswitch can't create vpn. Try another vswitch.-
400OperationFailed.AzNotSupportCurrent available zone can't create vpn. Try another vswitch with different available zone.-
400OperationFailed.NetworkTypeNotMatchCreate NationalStandard vpn with private networkType is unsupported.-
400OperationFailed.SslNotSupportEnable ssl vpn with private networkType is unsupported.You cannot enable the SSL feature for a private VPN gateway.
400Forbidden.TagKey.DuplicatedThe specified tag key already exists.The tag resources are duplicate.
400SizeLimitExceeded.TagNumThe maximum number of tags is exceeded.The number of tags has reached the upper limit.
400InvalidParameter.TagValueThe specified parameter TagValue is invalid.The error message returned because the specified tag value is invalid.
400InvalidParameter.TagKeyThe specified parameter TagKey is invalid.The error message returned because the specified tag key is invalid.
400Duplicated.TagKeyThe specified parameter TagKey is duplicated.The error message returned because the specified tag key already exists.
400InternalErrorThe request processing has failed due to some unknown error, exception or failure.An internal error occurred.
404InvalidRegionId.NotFoundThe specified region is not found during access authentication.The specified area is not found during authentication.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-10-19API Description Update,The API operation is not deprecated.,The error codes of the API operation change.,The input parameters of the API operation change.see changesets
Change itemChange content
API DescriptionAPI Description Update
API Deprecation DescriptionThe API operation is not deprecated.
Error CodesThe error codes of the API operation change.
    delete Error Codes: 400
    delete Error Codes: 404
Input ParametersThe input parameters of the API operation change.
    Added Input Parameters: ResourceGroupId
2023-06-30The error codes of the API operation change.,The input parameters of the API operation change.see changesets
Change itemChange content
Error CodesThe error codes of the API operation change.
    delete Error Codes: 400
    delete Error Codes: 404
Input ParametersThe input parameters of the API operation change.
    Added Input Parameters: DisasterRecoveryVSwitchId
2023-05-04The error codes of the API operation change.see changesets
Change itemChange content
Error CodesThe error codes of the API operation change.
    delete Error Codes: 400
    delete Error Codes: 404