All Products
Search
Document Center

VPN Gateway:Create and manage a VPN gateway

Last Updated:May 14, 2024

Before you use an IPsec-VPN connection to connect a data center to a virtual private cloud (VPC), you must create a VPN gateway and enable the IPsec-VPN feature for the VPN gateway. After the VPN gateway is created, Alibaba Cloud deploys the resources that the VPN gateway requires.

Usage notes

The maximum bandwidth supported by a VPN gateway varies in different regions. The maximum bandwidth in some regions can reach 1000 Mbit/s.

  • If you specify that the maximum bandwidth of a VPN gateway is less than or equal to 100 Mbit/s when you create the VPN gateway, the maximum network bandwidth varies based on the following scenarios:

    • The maximum bandwidth of the network from the VPN gateway to the on-premises data center is the specified maximum bandwidth of the VPN gateway by default.

    • The maximum bandwidth of the network from the on-premises data center to the VPN gateway is 100 Mbit/s by default.

  • If you specify that the maximum bandwidth of a VPN gateway is greater than 100 Mbit/s when you create the VPN gateway, the maximum bandwidth of the network from the VPN gateway to the data center and from the data center to the VPN gateway is the specified maximum bandwidth of the VPN gateway by default.

    Category

    Region

    1,000 Mbit/s

    China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), US (Virginia), Germany (Frankfurt), and UK (London)

    200 Mbit/s

    China (Nanjing - Local Region), Thailand (Bangkok), South Korea (Seoul), Philippines (Manila), India (Mumbai), Australia (Sydney), US (Silicon Valley), and UAE (Dubai)

Create a VPN gateway

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region in which you want to create the VPN gateway.

    Make sure that the VPN gateway resides in the same region as the VPC that you want to associate with the VPN gateway.

  3. On the VPN Gateways page, click Create VPN Gateway.

  4. On the buy page, configure the parameters described in the following table, click Buy Now, and then complete the payment.

    Parameter

    Description

    Instance Name

    The name of the VPN gateway.

    Resource Group

    The resource group to which the VPN gateway belongs.

    If you leave this parameter empty, the VPN gateway belongs to the default resource group. You can manage the resource group to which the VPN gateway belongs and resource groups to which other cloud resources belong in the Resource Management console. For more information, see What is Resource Management?

    Region and Zone

    The region in which you want to create the VPN gateway.

    Make sure that the VPN gateway resides in the same region as the VPC that you want to associate with the VPN gateway.

    Gateway Type

    The type of the VPN gateway. Default value: Standard.

    Network Type

    The network type of the VPN gateway. Valid values:

    • Public: The VPN gateway can be used to establish IPsec-VPN connections over the Internet.

    • Private: The VPN gateway can be used to establish IPsec-VPN connections over private networks.

    Note

    If you want to establish encrypted tunnels over private networks, we recommend that you associate private IPsec-VPN connections with a transit router (TR). For more information, see Create multiple private IPsec-VPN connections to implement load balancing.

    Tunnels

    The system displays the tunnel modes that are supported in this region. Valid values:

    • Single-tunnel

    • Dual-tunnel

    For more information, see [Upgrade notice] IPsec-VPN connections support the dual-tunnel mode.

    VPC

    The VPC with which you want to associate the VPN gateway.

    vSwitch

    The vSwitch with which you want to associate the VPN gateway. Select a vSwitch from the selected VPC.

    • If you select Single-tunnel, you need to specify one vSwitch.

    • If you select Dual-tunnel, you need to specify two vSwitches.

    Note
    • The system selects a vSwitch by default. You can change or use the default vSwitch.

    • After you create a VPN gateway, you cannot change the vSwitch associated with the VPN gateway. You can view the associated vSwitch and the zone in which the vSwitch resides on the details page of the VPN gateway.

    vSwitch 2

    If you select Dual-tunnel, you need to specify another vSwitch in the VPC.

    • You need to specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones.

    • For a region that supports only one zone, zone disaster recovery is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can select the same vSwitch as the first one.

    Regions that support only one zone

    China (Nanjing - Local Region), Thailand (Bangkok), South Korea (Seoul), Australia (Sydney), Philippines (Manila), and UAE (Dubai)

    Peak Bandwidth

    The maximum bandwidth of the VPN gateway. Unit: Mbit/s.

    Traffic

    The billing method of the VPN gateway. Default value: Pay-by-data-transfer.

    IPsec-VPN

    Specifies whether to enable IPsec-VPN for the VPN gateway. Default value: Enable.

    You must enable this feature for the VPN gateway to establish an IPsec-VPN connection.

    SSL-VPN

    Specifies whether to enable SSL-VPN for the VPN gateway. Default value: Disable.

    You do not need to enable this feature for the VPN gateway to establish an IPsec-VPN connection.

    Duration

    The billing cycle of the VPN gateway. Default value: By Hour.

    Service-linked Role

    The service-linked role of VPN Gateway. Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn.

    The VPN gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn.

    If Created is displayed, the service-linked role is created and you do not need to create it again.

    After the VPN gateway is created, the system assigns an IP address to the VPN gateway to establish an IPsec-VPN connection with the on-premises data center.创建VPN网关

    What to do next

    After the VPN gateway is created, you must also create a customer gateway before you can establish an IPsec-VPN connection. The customer gateway is used to register the information about the gateway device of your data center with Alibaba Cloud. The information includes the IP address and autonomous system number (ASN) of the Border Gateway Protocol (BGP). For more information, see Create and manage a customer gateway.

Modify the name and description of a VPN gateway

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region in which the VPN gateway resides.

  3. On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.

  4. In the Basic Information section of the details page of the VPN gateway, modify the name and description of the VPN gateway.

    • Click Edit next to the Name field. In the dialog box that appears, modify the name of the VPN gateway and click OK.

    • Click Edit next to the Description field. In the dialog box that appears, modify the description and click OK.

Delete a VPN gateway

Before you delete a VPN gateway, make sure that no IPsec-VPN connection, SSL server, or IPsec server exists on the VPN gateway. For more information, see the following topics:

  1. Log on to the VPN Gateway console.

  2. In the top navigation bar, select the region in which the VPN gateway resides.

  3. On the VPN Gateways page, find the VPN gateway that you want to delete and click Delete in the Actions column.

  4. In the Delete VPN Gateway message, click OK.

Create and manage VPN gateways by calling API operations

You can call API operations to create and manage VPN gateways by using tools such as Alibaba Cloud SDKs, Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS). We recommend that you use Alibaba Cloud SDKs. For more information, see the following API references: