All Products
Search
Document Center

VPN Gateway:CreateSslVpnServer

Last Updated:Jun 25, 2026

Creates an SSL server.

Operation description

  • CreateSslVpnServer is an asynchronous operation. After you send a request, the system returns an instance ID but the SSL server has not been created yet. The creation task is still running in the background. You can call DescribeVpnGateway to query the status of the VPN gateway instance to determine the creation status of the SSL server:
    • If the VPN gateway instance is in the updating state, the SSL server is being created.

    • If the VPN gateway instance is in the active state, the SSL server is created.

  • CreateSslVpnServer does not support concurrent creation of SSL servers under the same VPN gateway.

Before you begin

  • You have created a VPN gateway with the SSL-VPN feature enabled. For more information, see CreateVpnGateway.

  • If you want to enable two-factor authentication for the SSL server, make sure that the VPN gateway instance supports this feature. You may need to upgrade the VPN gateway instance. For more information, see SSL-VPN two-factor authentication supports IDaaS EIAM 2.0.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

vpc:CreateSslVpnServer

create

*SslVpnServer

acs:vpc:{#regionId}:{#accountId}:sslvpnserver/*

*VpnGateway

acs:vpc:{#regionId}:{#accountId}:vpngateway/{#VpnGatewayId}

None None

Request parameters

Parameter

Type

Required

Description

Example

ClientToken

string

No

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters.

Note

If you do not specify this parameter, the system automatically uses the RequestId of the API request as the ClientToken. The RequestId may be different for each API request.

02fb3da4-130e-11e9-8e44-0016e04115b

RegionId

string

Yes

The region ID of the VPN gateway.

You can call DescribeRegions to query the most recent region list.

cn-shanghai

VpnGatewayId

string

Yes

The ID of the VPN gateway.

vpn-bp1hgim8by0kc9nga****

Name

string

No

The name of the SSL server.

The name must be 1 to 100 characters in length and cannot start with http:// or https://.

sslvpnname

ClientIpPool

string

Yes

The client CIDR block.

The client CIDR block is used to allocate IP addresses to virtual network interface controllers (NICs) of clients. It does not refer to the existing internal network CIDR block of the client.

When a client accesses the local network through an SSL-VPN connection, the VPN gateway allocates an IP address from the specified client CIDR block to the client. The client uses the allocated IP address to access cloud resources.

When you specify the client CIDR block, make sure that the number of IP addresses in the client CIDR block is at least four times the number of SSL-VPN connections supported by the VPN gateway.

Click to view the reason

For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet with a 30-bit subnet mask from the 192.168.0.0/24 CIDR block, such as 192.168.0.4/30, and then allocates one IP address from 192.168.0.4/30 to the client. The remaining three IP addresses are used by the system to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that all clients can be allocated IP addresses, make sure that the number of IP addresses in the client CIDR block is at least four times the number of SSL-VPN connections supported by the VPN gateway.

Click to view unsupported CIDR blocks

  • 100.64.0.0 to 100.127.255.255

  • 127.0.0.0 to 127.255.255.255

  • 169.254.0.0 to 169.254.255.255

  • 224.0.0.0 to 239.255.255.255

  • 255.0.0.0 to 255.255.255.255

Click to view recommended client CIDR blocks for each number of SSL-VPN connections

  • If the number of SSL-VPN connections is 5, the subnet mask of the client CIDR block must be 27 bits or less. Example: 10.0.0.0/27 or 10.0.0.0/26.

  • If the number of SSL-VPN connections is 10, the subnet mask of the client CIDR block must be 26 bits or less. Example: 10.0.0.0/26 or 10.0.0.0/25.

  • If the number of SSL-VPN connections is 20, the subnet mask of the client CIDR block must be 25 bits or less. Example: 10.0.0.0/25 or 10.0.0.0/24.

  • If the number of SSL-VPN connections is 50, the subnet mask of the client CIDR block must be 24 bits or less. Example: 10.0.0.0/24 or 10.0.0.0/23.

  • If the number of SSL-VPN connections is 100, the subnet mask of the client CIDR block must be 23 bits or less. Example: 10.0.0.0/23 or 10.0.0.0/22.

  • If the number of SSL-VPN connections is 200, the subnet mask of the client CIDR block must be 22 bits or less. Example: 10.0.0.0/22 or 10.0.0.0/21.

  • If the number of SSL-VPN connections is 500, the subnet mask of the client CIDR block must be 21 bits or less. Example: 10.0.0.0/21 or 10.0.0.0/20.

  • If the number of SSL-VPN connections is 1000, the subnet mask of the client CIDR block must be 20 bits or less. Example: 10.0.0.0/20 or 10.0.0.0/19.

Note
  • The subnet mask of the client CIDR block must be 16 to 29 bits.

  • Make sure that the client CIDR block does not overlap with the local CIDR block, the virtual private cloud (VPC) CIDR block, or any routing CIDR block associated with the client terminal.

  • When you specify the client CIDR block, use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subnets. If you want to specify a public CIDR block as the client CIDR block, set the public CIDR block as a user CIDR block of the VPC to ensure that the VPC can access the public CIDR block. For more information about user CIDR blocks, see VPC FAQ.

  • After the SSL server is created, the system automatically adds the routing of the client CIDR block to the route table of the VPC instance. Do not manually add the routing of the client CIDR block to the route table of the VPC instance. Otherwise, SSL-VPN connection traffic may be abnormal.

192.168.1.0/24

LocalSubnet

string

Yes

The local CIDR block.

The local CIDR block is the CIDR block that the client needs to access through the SSL-VPN connection.

The local CIDR block can be the CIDR block of a VPC, the CIDR block of a vSwitch, the CIDR block of an on-premises data center that is connected to a VPC through an Express Connect circuit, or the CIDR block of a cloud service such as Object Storage Service (OSS).

The subnet mask of the local CIDR block must be 8 to 32 bits. The following CIDR blocks cannot be specified as the local CIDR block:

  • 127.0.0.0 to 127.255.255.255

  • 169.254.0.0 to 169.254.255.255

  • 224.0.0.0 to 239.255.255.255

  • 255.0.0.0 to 255.255.255.255.

10.0.0.0/8

Proto

string

No

The protocol used by the SSL server. Valid values:

  • TCP (default): TCP protocol.

  • UDP: UDP protocol.

UDP

Cipher

string

No

The encryption algorithm used by the SSL-VPN connection.

  • If the client uses Tunnelblick or OpenVPN 2.4.0 or later, the SSL server and the client dynamically negotiate the encryption algorithm and preferentially use the encryption algorithm with the highest security level that is supported by both parties. The encryption algorithm that you specify for the SSL server does not take effect.

  • If the client uses OpenVPN earlier than 2.4.0, the SSL server and the client use the encryption algorithm that you specify for the SSL server. The SSL server supports the following encryption algorithms:

    • AES-128-CBC (default): AES-128-CBC algorithm.

    • AES-192-CBC: AES-192-CBC algorithm.

    • AES-256-CBC: AES-256-CBC algorithm.

    • none: no encryption algorithm is used.

AES-128-CBC

Port

integer

No

The port used by the SSL server. Valid values: 1 to 65535. Default value: 1194.

The following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, or 4500.

1194

Compress

boolean

No

Specifies whether to compress communication data. Valid values:

  • true: compresses communication data.

  • false (default): does not compress communication data.

false

EnableMultiFactorAuth

boolean

No

Specifies whether to enable two-factor authentication. If you enable two-factor authentication, you must also configure IDaaSInstanceId, IDaaSRegionId, and IDaaSApplicationId. Valid values:

  • true: enabled.

  • false (default): disabled.

Note
  • If you use two-factor authentication for the first time, complete authorization before creating the SSL server.

  • When you create an SSL server in the UAE (Dubai) region, bind an IDaaS EIAM 2.0 instance in the Singapore region to reduce cross-region latency.

  • IDaaS EIAM 1.0 instances are no longer available for purchase. If your Alibaba Cloud account has IDaaS EIAM 1.0 instances, you can still bind IDaaS EIAM 1.0 instances after enabling two-factor authentication. If your Alibaba Cloud account does not have IDaaS EIAM 1.0 instances, you can bind only IDaaS EIAM 2.0 instances after enabling two-factor authentication.

false

IDaaSInstanceId

string

No

The ID of the IDaaS EIAM instance.

idaas-cn-hangzhou-p****

IDaaSRegionId

string

No

The region ID of the IDaaS EIAM instance.

cn-hangzhou

IDaaSApplicationId

string

No

The ID of the IDaaS application.

  • If you bind an IDaaS EIAM 2.0 instance, enter the IDaaS application ID.

  • If you bind an IDaaS EIAM 1.0 instance, you do not need to enter the IDaaS application ID.

app_my6g4qmvnwxzj2f****

DryRun

boolean

No

Specifies whether to perform a dry run. Valid values:

  • true: performs a dry run without performing the actual request. The system checks the required parameters, request syntax, and limits. If the request fails the dry run, an error message is returned. If the request passes the dry run, the DryRunOperation error code is returned.

  • false (default): performs a dry run and performs the actual request. If the request passes the dry run, a 2xx HTTP status code is returned and the operation is performed.

Response elements

Element

Type

Description

Example

object

SslVpnServerId

string

The ID of the SSL server.

vss-bp18q7hzj6largv4v****

RequestId

string

The request ID.

E98A9651-7098-40C7-8F85-C818D1EBBA85

Name

string

The name of the SSL server.

test

Examples

Success response

JSON format

{
  "SslVpnServerId": "vss-bp18q7hzj6largv4v****",
  "RequestId": "E98A9651-7098-40C7-8F85-C818D1EBBA85",
  "Name": "test"
}

Error codes

HTTP status code

Error code

Error message

Description

400 Resource.QuotaFull The quota of resource is full
400 InvalidName The name is not valid
400 VpnGateway.Configuring The specified service is configuring.
400 VpnGateway.FinancialLocked The specified service is financial locked.
400 SslVpnServer.AlreadyExist The SSL VPN server of specified vpn gateway already exists. The specified SSL server already exists on the VPN gateway.
400 VpnRouteEntry.Conflict The specified route entry has conflict. Route conflicts exist.
400 IpConflict Client IP pool conflict with local IP range. The client IP pool conflicts with the local IP range.
400 SslVpnServer.AddRouteError Add route error whose destination is client IP pool, please check vpc route entry and relevant quota. The system failed to add the route that points to the client CIDR block. View the VPC route and quota.
400 ClientIpPool.NetmaskInvalid The netmask length of client IP pool must be greater than or equal to 16 and less than or equal to 29. The subnet mask of the client IP pool must range from 16 to 29.
400 ClientIpPool.SubnetInvalid The specified client IP pool cannot be used. The client CIDR block is unavailable.
400 MissingParameter.IDaaSInstanceId The input parameter IDaaSInstanceId is mandatory when enable multi-factor authentication. You must set the IDaaSInstanceId parameter when you enable two-factor authentication.
400 OperationFailed.NoRamPermission Vpn Service has no permission to operate your IDaaS instances. The VPN service does not have the permissions to manage your IDaaS instance.
400 OperationUnsupported.NotSupportMultiFactorAuth Current version of the VPN does not support multi-factor authentication.
400 QuotaExceeded.VpnRouteEntry The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit. The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit.
400 SystemBusy The system is busy. Please try again later.
400 SslVpnServerPort.Illegal The server port is not in the range of [1-65535]. The port of the SSL-VPN server must be from 1 to 65535.
400 EnableHaCheck.SslVpnServerClientCidrContainsVpcRouteDest Ssl vpn client cidr contains vpc route prefix. The vpc route prefix is %s. The prefix %s in the VPC route table falls within the CIDR block of the SSL client.
400 VpnGateway.SslVpnDisabled The VPN gateway has not enabled SSL VPN. The SSL-VPN feature is disabled for the VPN gateway.
400 IllegalParam.LocalSubnet The specified "LocalSubnet" (%s) is invalid. The specified "LocalSubnet" (%s) is invalid.
400 IllegalParam.IDaaSApplicationId The specified IDaaS application Id is not illegal, the application instance needs to be created based on the dedicated SSL VPN template. The specified IDaaS application instance ID is invalid. The application instance must be created based on the dedicated SSL VPN template.
400 SslVpnIDaaS2.NotSupport Current version of the VPN does not support IDaaS2.0. The current version of the VPN instance does not support IDaaS2.0.
400 MissingParam.IDaaSApplicationId The input parameter IDaaSApplicationId is mandatory when enable multi-factor authentication. Enter the IDaaSApplicationId parameters when starting two-factor authentication.
400 MissingParam.IDaaSRegionId The input parameter IDaaSRegionId is mandatory when enable multi-factor authentication. Enter the IDaaSRegionId parameters when starting two-factor authentication.
400 DryRunOperation Request validation has been passed with DryRun flag set. The request passed the dry run.
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user.
403 Forbidden User not authorized to operate on the specified resource. You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404 InvalidRegionId.NotFound The specified region is not found during access authentication. The specified area is not found during authentication.
404 InvalidVpnGatewayInstanceId.NotFound The specified vpn gateway instance id does not exist.
404 InvalidIDaaSInstanceId.NotFound The specified IDaaS instance ID does not exist. The specified IDaaS instance does not exist.
404 InvalidIDaaSApplicationId.NotFound The specified IDaaS application Id does not exist. The ID of the specified IDaaS application instance does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.