All Products
Search

This Product

    VPN Gateway:IPsec-VPN quotas and limits

    Document Center

    VPN Gateway:IPsec-VPN quotas and limits

    Last Updated:Mar 26, 2026

    This topic lists the default quotas and limits for IPsec-VPN and explains how to request an increase.

    VPN gateway attachments

    Resource

    Default limit

    Adjustable

    Number of vpn gateway instances per Alibaba Cloud account

    30 (total across all regions)

    This quota is shared with the number of ipsec-vpn connections attached to a Transit Router in the same account.

    Yes. Quota name:

    vpn_quota_instances_num

    Number of ipsec-vpn connections per vpn gateway instance

    10

    Yes. Quota name:

    vpn_quota_ipsec_connections_num

    Maximum bandwidth per vpn gateway instance

    Enhanced VPN gateway: Not applicable.

    Standard VPN gateway: 1,000 Mbps (500 Mbps in some regions).

    No

    Bandwidth per ipsec-vpn connection

    Enhanced VPN gateway: 1 Gbps

    Standard VPN gateway: All connections share the gateway's bandwidth of 1,000 Mbps (500 Mbps in some regions).

    No

    Total bidirectional packets per second (pps) for a vpn gateway instance

    120,000 pps (at 256 bytes per packet). If a vpn gateway instance has multiple ipsec-vpn connections, their combined pps cannot exceed this limit.

    No

    Maximum number of concurrent connections per vpn gateway instance

    200,000

    A connection is uniquely identified by a network 5-tuple (source IP, destination IP, source port, destination port, and protocol). This includes connections established over TCP, UDP, and ICMP.

    No

    Number of policy-based routes per vpn gateway instance

    Enhanced VPN gateway: Not supported.

    Standard VPN gateway: 20

    Yes, for Standard VPN gateway only. Quota name:

    vpn_pbr_route_entry_quota

    Number of destination-based routes per vpn gateway instance

    30

    Yes. Quota name:

    vpn_route_entry_quota

    Number of BGP routes learned from a peer per vpn gateway instance

    Enhanced VPN gateway: 200

    Standard VPN gateway: 50

    For Standard VPN gateway only, contact your account manager to request an increase up to a maximum of 200.

    Number of local/remote CIDR blocks per ipsec-vpn connection

    Enhanced VPN gateway: 10

    Standard VPN gateway: 5

    No

    Unsupported port for ipsec-vpn connections

    Enhanced VPN gateway: None.

    Standard VPN gateway: 2222

    The vpn gateway service reserves port 2222 for internal use and drops any traffic destined for this port on an ipsec-vpn connection.

    No

    Transit Router attachments

    Resource

    Default limit

    Adjustable

    Number of ipsec-vpn connections attached to a Transit Router per Alibaba Cloud account

    30 (total across all regions)

    This quota is shared with the number of vpn gateway instances in the same account.

    Yes. Quota name:

    vpn_quota_instances_num

    Bandwidth per ipsec-vpn connection

    1,000 Mbps per tunnel.

    No

    Total bidirectional pps per ipsec-vpn connection

    120,000 pps per tunnel (at 256 bytes per packet)

    No

    Number of tunnels that support ECMP per Transit Router

    32 tunnels (from 16 ipsec-vpn connections)

    No

    Number of BGP routes learned from a peer per ipsec-vpn connection

    1,000 per tunnel, for a total of 2,000.

    For legacy single-tunnel mode connections, the limit is 50.

    For single-tunnel mode connections only, contact your account manager to request an increase up to a maximum of 200.

    Number of local/remote CIDR blocks per ipsec-vpn connection

    5

    No

    Maximum number of concurrent connections per ipsec-vpn connection

    200,000

    A connection is uniquely identified by a network 5-tuple (source IP, destination IP, source port, destination port, and protocol). This includes connections established over TCP, UDP, and ICMP.

    No

    Unsupported port for ipsec-vpn connections

    2222

    The vpn gateway service reserves port 2222 for internal use and drops any traffic destined for this port on an ipsec-vpn connection.

    No

    Number of Transit Routers per ipsec-vpn connection

    1

    No

    Customer gateway limits

    Resource

    Default limit

    Adjustable

    Number of customer gateways per region

    150

    No

    API rate quotas

    • For API rate quotas, see Throttling.

    • Self-service quota increases are supported. For more information, see Requesting a quota increase.

    • You can configure alerts to notify you when quota usage nears its limit, so you can request an increase in advance. For details, see Quota alarms.

    Request a quota increase

    • Some quotas can be increased through self-service. Go to Quota Center, find the quota that you want to increase, and click Apply in the Actions column. The technical support team for each cloud service reviews quota increase requests. To increase the likelihood of approval, provide a reasonable value and a detailed reason for your application. Approval typically takes less than one minute.

    • If you use Resource Directory to manage multiple accounts, use a Quota Template to request quota increases in bulk.

    • As a RAM user, you must have the AliyunQuotasFullAccess permission to manage quotas. For more information, see Grant permissions to a RAM user.