Connect an iOS device to a VPC - VPN Gateway - Alibaba Cloud Documentation Center

This topic describes how to connect an iOS device (iPhone or iPad) to an Alibaba Cloud virtual private cloud (VPC) using the native IKEv2 VPN client. This configuration allows secure access to internal resources (such as ECS instances) from a mobile device without exposing them to the public Internet.

Overview

Architecture

You will create a VPN gateway and an IPsec Server on Alibaba Cloud, then configure the native iOS VPN client to establish the connection.

Example Planning

The following resources and settings are used in this tutorial:

Resource	Item	Value	Description
VPC	Name	`vpc-demo`	Target network to access.
	CIDR Block	`10.0.0.0/16`
	Region	China (Hangzhou)
	vSwitch 1	`vsw1`	Zone J, `10.0.0.0/24`.
	vSwitch 2	`vsw2`	Zone K, `10.0.1.0/24`.
ECS	Private IP	`10.0.0.1`	Web server for verification.
Client	Local Network	`172.16.0.0/16`	The physical network of the iOS device.

Prerequisites

Check Region Support

The IPsec Server feature is supported in specific regions, including China (Hangzhou), China (Shanghai), Germany (Frankfurt), and others.

Important

Before proceeding, verify that your VPC is located in a supported region. For the complete and most up-to-date list of supported regions, see IPsec servers.

If your VPC is in an unsupported region, consider using Cross-VPC connectivity.

Step 1: Create a VPN gateway

Click Create VPN Gateway and configure the following parameters.

Note

If you want to use an existing VPN gateway, ensure that the SSL-VPN feature is enabled and the gateway is upgraded to the latest version. The IPsec Server feature relies on the Point-to-Site capabilities provided by the SSL-VPN feature set.

Parameter	Example Value	Description
Name	`vpn-demo`
Region	China (Hangzhou)	Must match the VPC region.
VPC	`vpc-demo`	The target VPC.
VSwitch	`vsw1`, `vsw2`	Select vSwitches in different zones for High Availability (HA).
Maximum Bandwidth	`10 Mbps`	Adjust based on throughput requirements.
VPN Type	Standard
IPsec-VPN	Disable	You can leave this disabled if you do not need Site-to-Site connections.
SSL-VPN	Enable	Required. Enables the necessary resources for the IPsec Server feature.
SSL Connections	`5`	Maximum concurrent client connections.

Complete the payment. Wait 1–5 minutes for the status to change to Normal.

Step 2: Create an IPsec Server

In the left navigation pane, choose Interconnections > VPN > IPsec Servers.
Select the region China (Hangzhou).

Click Create IPsec Server and configure the parameters.

Parameter	Example Value	Description
Name	`server-demo`
VPN Gateway	`vpn-demo`	Select the gateway created in Step 1.
Local Network	`10.0.0.0/16`	The CIDR block of the VPC (or subnets) the client needs to access.
Client CIDR Block	`10.222.222.0/24`	Virtual IP pool for clients. Warning: Must not overlap with the Local Network or the client's physical network (e.g., `172.16.0.0/16`).
Pre-Shared Key	`AliyunVPN123!`	Maps to the Secret field in iOS. Note: Use a strong key (16+ chars, mixed case, numbers, symbols).
Effective Immediately	Yes

Click OK.
In the IPsec Servers list, note the public IP Address of your server (e.g., 47.xx.xx.xx).

Step 3: Configure the iOS Device

On the iOS device, go to Settings > General > VPN & Device Management > VPN.

Tap Add VPN Configuration... and enter the following settings.

Field	Value	Notes
Type	IKEv2
Description	`AliyunVPC`	Any display name.
Server	<IPsec Server Public IP>	The IP noted in Step 2.
Remote ID	<IPsec Server Public IP>	Important: Must strictly match the Server IP.
Local ID	/	Leave this parameter empty.
User Authentication	None
Use Certificate	Off	Toggle disabled.
Secret	`AliyunVPN123!`	The Pre-Shared Key set in Step 2.
Proxy	Off

Tap Done.
Find the AliyunVPC profile and toggle the switch to Connected.

Step 4: Verify Connectivity

1. Configure Security Group

Ensure the Security Group of your target ECS instance allows inbound traffic from the VPN clients.

Protocol: TCP
Port: 80 (or your service port)
Source: 10.222.222.0/24 (The Client CIDR defined in Step 2)

2. Prepare Web Server

Ensure a web server is running on the target ECS (10.0.0.1).

# Example: Install Nginx on Alibaba Cloud Linux 3
sudo yum install -y nginx
sudo systemctl start nginx

3. Test Access

Open Safari on the connected iOS device.
Access the private IP: http://10.0.0.1.
A successful connection will display the Nginx welcome page.

Troubleshooting

Symptom	Possible Cause	Solution
Connection Fails	Mismatched IDs.	Ensure Remote ID on iOS exactly matches the Server IP.
	Incorrect Key.	Verify the Secret matches the IPsec Server Pre-Shared Key.
Cannot Access ECS	Security Group restriction.	Add an inbound rule to the ECS Security Group allowing the Client CIDR (e.g., `10.222.222.0/24`). Do not use the phone's physical IP.