This topic describes the default quotas and usage limits for IPsec-VPN resources. It also explains how to request a quota increase.
Attach VPN Gateway
Resource | Default limit | Adjustable |
Maximum number of VPN gateways that you can create with an Alibaba Cloud account | 30 (across all regions) Counted together with IPsec-VPN connections associated with transit routers in the same account. | Increase quota. Quota name: vpn_quota_bgp_route_limit |
Maximum number of IPsec-VPN connections that you can create on a single VPN gateway | 10 | Increase quota. Quota name: vpn_quota_ipsec_connetcions_num |
Maximum bandwidth supported by a VPN gateway | Enhanced instance families: no bandwidth attribute Standard instance families: 1000 Mbps. Some regions support up to 500 Mbps. | Cannot be adjusted |
Bandwidth supported by an IPsec-VPN connection bound to a VPN gateway | Enhanced instance families: 1 Gbps Standard instance families: shared gateway bandwidth (1000 Mbps. Some regions support up to 500 Mbps). | It is not resizable. |
Total number of inbound and outbound packets that a VPN gateway can transmit per second | 120,000 pps (256 bytes per packet). If multiple IPsec-VPN connections exist on a single VPN gateway, the combined pps across all connections must not exceed 120,000. | Not adjustable |
Maximum number of connections supported by a VPN gateway | 200,000 A network 5-tuple uniquely identifies a connection. A 5-tuple consists of a source IP address, a destination IP address, a source port, a destination port, and the protocol. Connections include those established using TCP, UDP, and ICMP. | Not adjustable |
Maximum number of policy-based routing entries supported by a VPN gateway | Enhanced instance families do not support policy-based routing. Standard instance families: 20 | Only standard instance families support quota increases. Increase quota. Quota name: vpn_pbr_route_entry_quota |
Maximum number of destination-based routing entries supported by a VPN gateway | Enhanced instance families: 50 Standard instance families: 30 | Increase quota. Quota name: vpn_route_entry_quota |
Maximum number of BGP routes that a VPN gateway can learn from a peer device | Enhanced instance families: 200 Standard: 50 entries | Only standard instance families support quota increases. Contact your account manager. Maximum quota is 200. |
Maximum number of local or peer CIDR blocks that you can add to each IPsec-VPN connection | Enhanced instance families: 10 Classic: 5 | Cannot be adjusted. |
Ports not supported by IPsec-VPN connections | Enhanced instance families: none Classic: 2222 Port 2222 is used only internally by the VPN Gateway service. Traffic destined for port 2222 on an IPsec-VPN connection is dropped. | Cannot be resized |
Attach a Transit Router
Resource | Default limit | Adjustable |
Maximum number of IPsec-VPN connections associated with transit routers that you can create with an Alibaba Cloud account | 30 (across all regions) Counted together with VPN gateways in the same account. | Increase quota. Quota name: vpn_quota_bgp_route_limit |
Bandwidth supported by an IPsec-VPN connection bound to a transit router | 1000 Mbps per tunnel | You cannot adjust. |
Total number of inbound and outbound packets that an IPsec-VPN connection bound to a transit router can transmit per second | 120,000 pps per tunnel (256 bytes per packet) | Not adjustable |
Maximum number of IPsec-VPN connections that support equal-cost multi-path (ECMP) routing on a single transit router | 32 | Cannot be adjusted |
The number of route entries that a BGP route table for an IPsec-VPN connection can learn from the peer device. | 1000 per tunnel (2000 total) Legacy single-tunnel mode supports 50 routes. | Only single-tunnel mode supports quota increases. Contact your account manager. Maximum quota is 200. |
Maximum number of local or peer CIDR blocks that you can add to each IPsec-VPN connection | 5 | Cannot be resized |
Maximum connections an IPsec-VPN connection supports. | 200,000 A network 5-tuple uniquely identifies a connection. A 5-tuple consists of a source IP address, a destination IP address, a source port, a destination port, and the protocol. Connections include those established using TCP, UDP, and ICMP. | Not resizable |
Ports not supported by IPsec-VPN connections | 2222 Port 2222 is used only internally by the VPN Gateway service. Traffic destined for port 2222 on an IPsec-VPN connection is dropped. | You cannot adjust this setting. |
Maximum number of transit routers that you can associate with an IPsec-VPN connection | 1 | Cannot be adjusted |
Customer gateway limitations
Resource | Default limit | Adjustable |
Maximum number of customer gateways that you can create in a region | 150 | Not adjustable |
API rate limits
Rate limits for each API are listed in Throttling information.
You can increase some quotas yourself. For more information, see Self-service quota increases at the end of this topic.
You can receive quota alerts when usage reaches a threshold. This helps you increase quotas proactively. For more information, see Quota alerts.
Self-service quota increase
You can increase some quotas yourself. Go to the Quota Center page. In the Actions column for the target quota, click Apply. Technical support teams for each cloud product review and approve quota requests. To improve approval chances, provide a reasonable requested value and a detailed justification when submitting your request. Approval usually takes less than one minute.
If you use a multi-account structure such as a resource directory, use quota templates to request quotas in bulk. For more information, see Quota templates.
If you use a Resource Access Management (RAM) user, first grant the RAM user permissions to manage quotas. Attach the AliyunQuotasFullAccess policy. For more information, see Grant quota management permissions to a RAM user.