Document Center

All Products

Document Center

VPN Gateway:Limits

Last Updated:Feb 13, 2026

This topic describes the limits on the features and performance of IPsec-VPN and explains how to request a quota increase for resources.

IPsec Connection Limits for VPN Gateway

Resource	Default Limit	Increase Quota
Number of VPN Gateway instances that an Alibaba Cloud account can create	30 The total number of VPN Gateway instances that can be created across all regions for an Alibaba Cloud account cannot exceed 30. If an Alibaba Cloud account has IPsec connections attached to Transit Routers, the total number of IPsec connections attached to Transit Routers and VPN Gateway instances across all regions for that Alibaba Cloud account cannot exceed 30.	Go to the quota management page to increase the quota.
Maximum bandwidth of a VPN Gateway instance	Enhanced instance families: A VPN Gateway instance does not have a bandwidth limit, but each IPsec connection has a default bandwidth limit of 1 Gbps. Traditional instance families: 1,000 Mbps The maximum bandwidth of VPN Gateway instances in some regions is 500 Mbps. For more information about the regions, see VPN Gateway Instance Limits.	Enhanced instance families: Not applicable. Traditional instance families: Cannot be adjusted. You can expand the bandwidth of IPsec-VPN connections through other methods. For more information, see How to Expand the Bandwidth of an IPsec-VPN Connection?.
Bandwidth of an IPsec connection attached to a VPN Gateway	Enhanced VPN Gateway: The default bandwidth of each tunnel of an IPsec connection is 1 Gbps. Traditional VPN Gateway: The total bandwidth of all IPsec connections of a VPN Gateway instance cannot exceed the bandwidth of the instance (up to 1,000 Mbps).	Cannot be adjusted
Total number of data packets that a VPN Gateway instance can transmit per second in both directions	120,000 pps (for 256-byte packets) Note If a VPN gateway has multiple IPsec-VPN connections, the sum of inbound and outbound packets transmitted through these connections per second must not exceed 120,000. Each packet is 256 bytes in size.	Cannot be adjusted
Number of IPsec connections that a VPN Gateway instance can have	10	Go to the quota management page to increase the quota.
Number of BGP dynamic routes that a VPN Gateway instance can learn from a peer	Enhanced VPN Gateway: 200 Traditional VPN Gateway: 50	Enhanced VPN Gateway: Not supported. Traditional VPN Gateway: Contact your account manager to request a quota increase. The quota can be increased to a maximum of 200.
Number of policy-based routes that can be created for a VPN Gateway instance	Enhanced VPN Gateway: Not supported Traditional VPN Gateway: 20	Go to the quota management page to increase the quota.
Number of destination-based routes that can be created for a VPN Gateway instance	Enhanced VPN Gateway: 50 Traditional VPN Gateway: 30	Go to the quota management page to increase the quota.
Number of local or peer CIDR blocks that can be added to an IPsec connection attached to a VPN Gateway instance	Attached to Enhanced VPN Gateway: 10 Attached to Traditional VPN Gateway: 5	Cannot be adjusted
Maximum number of connections supported by a VPN Gateway instance	200,000 A network 5-tuple (source IP address, destination IP address, source port, destination port, and protocol) uniquely identifies a connection. This applies to connections that are established using the TCP, UDP, and ICMP protocols.	Cannot be adjusted
Unsupported ports for IPsec connections attached to a VPN Gateway instance	Enhanced VPN Gateway: No limits Traditional VPN Gateway: 2222 Port 2222 is reserved for internal use by the VPN Gateway. Traffic to port 2222 of an IPsec connection is dropped.	Cannot be adjusted

IPsec Connection Limits for Transit Router

Resource	Default Limit	Increase Quota
Bandwidth of an IPsec connection attached to a Transit Router	In dual-tunnel mode, an IPsec-VPN connection supports up[ to 2,000 Mbit/s. Each tunnel supports up to 1,000 Mbit/s. In single-tunnel mode, an IPsec-VPN connection supports up to 1,000 Mbit/s.	Cannot be adjusted
Total number of data packets that an IPsec connection attached to a Transit Router can transmit per second in both directions	In dual-tunnel mode, the total number of inbound and outbound packets that can be transmitted through a tunnel per second is 120,000. Each packet is 256 bytes in size. In single-tunnel mode, the total number of inbound and outbound packets that can be transmitted through an IPsec-VPN connection per second is 120,000. Each packet is 256 bytes in size.	Cannot be adjusted
Number of IPsec connections that support Equal-Cost Multipath Routing (ECMP) for a Transit Router	32	Cannot be adjusted
Number of routes that a BGP route table can learn from a peer for an IPsec connection attached to a Transit Router	In dual-tunnel mode, each tunnel supports 1,000 routes, for a total of 2,000 routes. In single-tunnel mode, 50 routes are supported.	Dual-tunnel mode: Cannot be adjusted. Single-tunnel mode: Contact your account manager to request a quota increase. The quota can be increased to a maximum of 200 routes.
Number of local or peer CIDR blocks that can be added to an IPsec connection attached to a Transit Router	5	Cannot be adjusted
Maximum number of connections supported by an IPsec connection attached to a Transit Router	200,000 A network 5-tuple (source IP address, destination IP address, source port, destination port, and protocol) uniquely identifies a connection. This applies to connections that are established using the TCP, UDP, and ICMP protocols.	Cannot be adjusted
Unsupported ports for IPsec connections attached to a Transit Router	2222 Port 2222 is reserved for internal use by the VPN Gateway. Traffic to port 2222 of an IPsec connection is dropped.	Cannot be adjusted
Number of Transit Routers to which an IPsec connection can be attached	1	Cannot be adjusted

Customer Gateway Limits

Resource	Default Limit	Increase Quota
Number of customer gateways a region can create	150	Cannot be adjusted