-
The enhanced VPN gateway was released in February 2024 and is currently in public preview. To use it, request access from an Alibaba Cloud engineer.
-
Supported regions: Malaysia (Kuala Lumpur), UK (London), China (Chengdu), US (Virginia), US (Silicon Valley), China (Hong Kong), and Singapore.
VPN Gateway comes in two types—enhanced and traditional—that differ in bandwidth, public IP, encryption algorithms, and billing.
Quick selection
Choose enhanced when:
-
First-time users: simpler configuration with multi-algorithm compatibility. IPsec connection fee is waived during public preview.
-
You need higher bandwidth per connection than a traditional gateway provides.
-
You need AES128-GCM-16 and AES256-GCM-16 encryption, or DH groups 15 to 24.
-
You need more traffic selectors (up to 10).
Choose traditional when:
-
You need SSL-VPN connections (client-to-site).
Detailed comparison
|
Item |
Enhanced VPN gateway |
Traditional VPN gateway |
|
Bandwidth |
No bandwidth specification on the gateway instance. Each IPsec connection has a dedicated 1 Gbps bandwidth, independent of other connections. |
Gateway instances have a bandwidth specification: up to 1,000 Mbps (500 Mbps in some regions). All IPsec connections on the instance share this bandwidth. |
|
Cloud public IP |
Each tunnel gets a dedicated public IP address, not shared with other tunnels. |
All IPsec tunnels on a gateway instance share the gateway's public IP address. |
|
Private IP usage |
Consumes one private IP from each of two associated vSwitches (for ENIs). Total: two private IPs. |
Consumes one private IP address from each of two associated vSwitches (for ENIs). Total: two private IPs. |
|
Number of traffic selectors |
10 |
5 |
|
Multi-algorithm compatibility |
Supported. Configure multiple encryption algorithms to simplify third-party device connections. |
Not supported. You must specify a single algorithm combination matching the peer device exactly. |
|
Encryption algorithm |
Encryption: Adds support for AES128-GCM-16 and AES256-GCM-16. DH Group: Adds support for groups 15 to 24 (10 groups in total). |
Encryption: AES-128, AES-192, AES-256, 3DES, and DES. DH Group: Groups 1, 2, 5, and 14 only. |
|
SSL-VPN |
Not supported |
Supported |
|
Policy-based route |
Not supported |
Supported, up to 20 routes. |
|
BGP route entries |
200 |
50 (can be increased to 200 upon request). |
|
Billing |
Billed for: IPsec connection Billable items: IPsec connection fee + data transfer fee |
Billed for: VPN gateway Billable items: VPN gateway instance fee + data transfer fee |
Architecture diagrams
Enhanced VPN gateway:
Traditional VPN gateway:
Bandwidth
Enhanced: Dedicated bandwidth for each connection
An enhanced VPN gateway has no configurable bandwidth attribute. Each IPsec connection gets a dedicated 1 Gbps bandwidth, independent of other connections.
For example, two IPsec connections on an enhanced gateway each have dedicated 1 Gbps bandwidth. Traffic on one connection does not affect the other.
Each tunnel has 1 Gbps bandwidth. Since an IPsec connection uses two tunnels in active-standby mode, only the active tunnel carries traffic—so the effective bandwidth per connection is 1 Gbps.
Traditional: Shared bandwidth for all connections
A traditional VPN gateway has a configurable bandwidth attribute (200 Mbps, 500 Mbps, or 1,000 Mbps). All IPsec connections on the gateway share this bandwidth.
For example, with a 200 Mbps gateway and two IPsec connections, both share the 200 Mbps. Heavy traffic on one connection reduces bandwidth available to the other.
Public and private IP addresses
Enhanced: Dedicated public IP addresses
-
The system assigns a unique public IP address to each IPsec tunnel.
-
Each IPsec connection includes two tunnels (dual-tunnel mode), so each connection uses two independent public IP addresses.
-
Configure your on-premises gateway to establish IPsec tunnels to both public IP addresses.
-
Advantage: Better fault isolation—a public IP change on one tunnel does not affect others.
Traditional: Shared public IP addresses
-
All IPsec connections on a traditional VPN gateway share the gateway's public IP addresses.
-
All tunnels use the gateway's public IPs regardless of how many IPsec connections you create.
-
Note: If a public IP has issues, all IPsec connections on the gateway are affected.
Private IP addresses
Both types handle private IPs the same way. When you create a gateway, associate it with a VPC and two vSwitches in different zones. The system creates an ENI in each vSwitch for traffic between the gateway and VPC.
-
Each ENI consumes one private IP address from its vSwitch.
-
A VPN gateway consumes two private IP addresses total (one from each vSwitch).
-
Ensure the vSwitches have sufficient available IP addresses.
Next steps
Starting with an enhanced VPN
Starting with a traditional VPN
Migrating to an enhanced VPN gateway
Migration may cause network interruptions. Assess risks and prepare a contingency plan before proceeding.
You cannot directly upgrade a traditional VPN gateway to enhanced. You must create a new one.
Recommended migration steps:
-
Create an enhanced VPN gateway and associate it with the same VPC.
-
Create an IPsec connection on the enhanced gateway and note the new cloud-side public IP addresses.
-
Configure your on-premises gateway to point IPsec tunnels to the new public IPs.
-
Verify the new connection works, then delete the old IPsec connection from the traditional gateway.
-
Delete the traditional VPN gateway.