Creates an SSL server.
Operation description
- CreateSslVpnServer is an asynchronous operation. After you send a request, the system returns an instance ID but the SSL server has not been created yet. The creation task is still running in the background. You can call DescribeVpnGateway to query the status of the VPN gateway instance to determine the creation status of the SSL server:
If the VPN gateway instance is in the updating state, the SSL server is being created.
If the VPN gateway instance is in the active state, the SSL server is created.
CreateSslVpnServer does not support concurrent creation of SSL servers under the same VPN gateway.
Before you begin
You have created a VPN gateway with the SSL-VPN feature enabled. For more information, see CreateVpnGateway.
If you want to enable two-factor authentication for the SSL server, make sure that the VPN gateway instance supports this feature. You may need to upgrade the VPN gateway instance. For more information, see SSL-VPN two-factor authentication supports IDaaS EIAM 2.0.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
vpc:CreateSslVpnServer |
create |
*SslVpnServer
*VpnGateway
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| ClientToken |
string |
No |
The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters. Note
If you do not specify this parameter, the system automatically uses the RequestId of the API request as the ClientToken. The RequestId may be different for each API request. |
02fb3da4-130e-11e9-8e44-0016e04115b |
| RegionId |
string |
Yes |
The region ID of the VPN gateway. You can call DescribeRegions to query the most recent region list. |
cn-shanghai |
| VpnGatewayId |
string |
Yes |
The ID of the VPN gateway. |
vpn-bp1hgim8by0kc9nga**** |
| Name |
string |
No |
The name of the SSL server. The name must be 1 to 100 characters in length and cannot start with |
sslvpnname |
| ClientIpPool |
string |
Yes |
The client CIDR block. The client CIDR block is used to allocate IP addresses to virtual network interface controllers (NICs) of clients. It does not refer to the existing internal network CIDR block of the client. When a client accesses the local network through an SSL-VPN connection, the VPN gateway allocates an IP address from the specified client CIDR block to the client. The client uses the allocated IP address to access cloud resources. When you specify the client CIDR block, make sure that the number of IP addresses in the client CIDR block is at least four times the number of SSL-VPN connections supported by the VPN gateway. Note
|
192.168.1.0/24 |
| LocalSubnet |
string |
Yes |
The local CIDR block. The local CIDR block is the CIDR block that the client needs to access through the SSL-VPN connection. The local CIDR block can be the CIDR block of a VPC, the CIDR block of a vSwitch, the CIDR block of an on-premises data center that is connected to a VPC through an Express Connect circuit, or the CIDR block of a cloud service such as Object Storage Service (OSS). The subnet mask of the local CIDR block must be 8 to 32 bits. The following CIDR blocks cannot be specified as the local CIDR block:
|
10.0.0.0/8 |
| Proto |
string |
No |
The protocol used by the SSL server. Valid values:
|
UDP |
| Cipher |
string |
No |
The encryption algorithm used by the SSL-VPN connection.
|
AES-128-CBC |
| Port |
integer |
No |
The port used by the SSL server. Valid values: 1 to 65535. Default value: 1194. The following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, or 4500. |
1194 |
| Compress |
boolean |
No |
Specifies whether to compress communication data. Valid values:
|
false |
| EnableMultiFactorAuth |
boolean |
No |
Specifies whether to enable two-factor authentication. If you enable two-factor authentication, you must also configure
Note
|
false |
| IDaaSInstanceId |
string |
No |
The ID of the IDaaS EIAM instance. |
idaas-cn-hangzhou-p**** |
| IDaaSRegionId |
string |
No |
The region ID of the IDaaS EIAM instance. |
cn-hangzhou |
| IDaaSApplicationId |
string |
No |
The ID of the IDaaS application.
|
app_my6g4qmvnwxzj2f**** |
| DryRun |
boolean |
No |
Specifies whether to perform a dry run. Valid values:
|
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| SslVpnServerId |
string |
The ID of the SSL server. |
vss-bp18q7hzj6largv4v**** |
| RequestId |
string |
The request ID. |
E98A9651-7098-40C7-8F85-C818D1EBBA85 |
| Name |
string |
The name of the SSL server. |
test |
Examples
Success response
JSON format
{
"SslVpnServerId": "vss-bp18q7hzj6largv4v****",
"RequestId": "E98A9651-7098-40C7-8F85-C818D1EBBA85",
"Name": "test"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | Resource.QuotaFull | The quota of resource is full | |
| 400 | InvalidName | The name is not valid | |
| 400 | VpnGateway.Configuring | The specified service is configuring. | |
| 400 | VpnGateway.FinancialLocked | The specified service is financial locked. | |
| 400 | SslVpnServer.AlreadyExist | The SSL VPN server of specified vpn gateway already exists. | The specified SSL server already exists on the VPN gateway. |
| 400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | Route conflicts exist. |
| 400 | IpConflict | Client IP pool conflict with local IP range. | The client IP pool conflicts with the local IP range. |
| 400 | SslVpnServer.AddRouteError | Add route error whose destination is client IP pool, please check vpc route entry and relevant quota. | The system failed to add the route that points to the client CIDR block. View the VPC route and quota. |
| 400 | ClientIpPool.NetmaskInvalid | The netmask length of client IP pool must be greater than or equal to 16 and less than or equal to 29. | The subnet mask of the client IP pool must range from 16 to 29. |
| 400 | ClientIpPool.SubnetInvalid | The specified client IP pool cannot be used. | The client CIDR block is unavailable. |
| 400 | MissingParameter.IDaaSInstanceId | The input parameter IDaaSInstanceId is mandatory when enable multi-factor authentication. | You must set the IDaaSInstanceId parameter when you enable two-factor authentication. |
| 400 | OperationFailed.NoRamPermission | Vpn Service has no permission to operate your IDaaS instances. | The VPN service does not have the permissions to manage your IDaaS instance. |
| 400 | OperationUnsupported.NotSupportMultiFactorAuth | Current version of the VPN does not support multi-factor authentication. | |
| 400 | QuotaExceeded.VpnRouteEntry | The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit. | The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit. |
| 400 | SystemBusy | The system is busy. Please try again later. | |
| 400 | SslVpnServerPort.Illegal | The server port is not in the range of [1-65535]. | The port of the SSL-VPN server must be from 1 to 65535. |
| 400 | EnableHaCheck.SslVpnServerClientCidrContainsVpcRouteDest | Ssl vpn client cidr contains vpc route prefix. The vpc route prefix is %s. | The prefix %s in the VPC route table falls within the CIDR block of the SSL client. |
| 400 | VpnGateway.SslVpnDisabled | The VPN gateway has not enabled SSL VPN. | The SSL-VPN feature is disabled for the VPN gateway. |
| 400 | IllegalParam.LocalSubnet | The specified "LocalSubnet" (%s) is invalid. | The specified "LocalSubnet" (%s) is invalid. |
| 400 | IllegalParam.IDaaSApplicationId | The specified IDaaS application Id is not illegal, the application instance needs to be created based on the dedicated SSL VPN template. | The specified IDaaS application instance ID is invalid. The application instance must be created based on the dedicated SSL VPN template. |
| 400 | SslVpnIDaaS2.NotSupport | Current version of the VPN does not support IDaaS2.0. | The current version of the VPN instance does not support IDaaS2.0. |
| 400 | MissingParam.IDaaSApplicationId | The input parameter IDaaSApplicationId is mandatory when enable multi-factor authentication. | Enter the IDaaSApplicationId parameters when starting two-factor authentication. |
| 400 | MissingParam.IDaaSRegionId | The input parameter IDaaSRegionId is mandatory when enable multi-factor authentication. | Enter the IDaaSRegionId parameters when starting two-factor authentication. |
| 400 | DryRunOperation | Request validation has been passed with DryRun flag set. | The request passed the dry run. |
| 403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | |
| 403 | Forbidden | User not authorized to operate on the specified resource. | You do not have the permissions to manage the specified resource. Apply for the permissions and try again. |
| 404 | InvalidRegionId.NotFound | The specified region is not found during access authentication. | The specified area is not found during authentication. |
| 404 | InvalidVpnGatewayInstanceId.NotFound | The specified vpn gateway instance id does not exist. | |
| 404 | InvalidIDaaSInstanceId.NotFound | The specified IDaaS instance ID does not exist. | The specified IDaaS instance does not exist. |
| 404 | InvalidIDaaSApplicationId.NotFound | The specified IDaaS application Id does not exist. | The ID of the specified IDaaS application instance does not exist. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.