CreateVpnGateway - Virtual Private Cloud - Alibaba Cloud Documentation Center

Creates a VPN gateway.

Operation description

Before you create a VPN gateway, we recommend that you know more about the limits of VPN gateways. For more information, see the Limits section in the "Create and manage a VPN gateway" topic.
VPN gateways in some regions support only IPsec-VPN connections in dual-tunnel mode. If you call CreateVpnGateway in these regions, you must specify VSwitchId and DisasterRecoveryVSwitchId in addition to the required parameters. For more information about the regions and zones that support the IPsec-VPN connections in dual-tunnel mode, see IPsec-VPN connections support the dual-tunnel mode.
CreateVpnGateway is an asynchronous operation. After you send a request to call this operation, the system returns a request ID and the endpoint service is being created in the backend. You can call DescribeVpnGateway to query the status of a VPN gateway.
- If the VPN gateway is in the provisioning state, the VPN gateway is being created.
- If the VPN gateway is in the active state, the VPN gateway is created.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
vpc:CreateVpnGateway	create	VpnGateway acs:vpc:{#regionId}:{#accountId}:vpngateway/*	none	none

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The region ID of the VPN gateway. You can call the DescribeRegions operation to query the most recent region list.	cn-hangzhou
Name	string	No	The name of the VPN gateway. The default value is the ID of the VPN gateway. The name must be 2 to 100 characters in length and cannot start with `http://` or `https://`. It must start with a letter and can contain letters, digits, underscores (_), hyphens (-), and periods (.). Other special characters are not supported.	MYVPN
VpcId	string	Yes	The ID of the virtual private cloud (VPC) where you want to create the VPN gateway.	vpc-bp1ub1yt9cvakoelj****
InstanceChargeType	string	No	The billing method of the VPN gateway. Set the value to POSTPAY, which specifies the pay-as-you-go billing method.	Example value for the Alibaba Cloud China site: PREPAY. Example value for the Alibaba Cloud International site: POSTPAY.
Period	integer	No	The subscription duration. Unit: month. Valid values: 1 to 9, 12, 24, and 36.	1
AutoPay	boolean	No	Specifies whether to enable automatic payment. Valid values: true false (default) Note To create a VPN gateway, we recommend that you enable automatic payment. If you disable automatic payment, you must manually pay the bill to create the VPN gateway.	false
Bandwidth	integer	Yes	The maximum bandwidth of the VPN gateway. Unit: Mbit/s. If you want to create a public VPN gateway, valid values are 10, 100, 200, 500, and 1000. If you want to create a private VPN gateway, valid values are 200 and 1000. Note The maximum bandwidth supported by VPN gateways in some regions is 500 Mbit/s. For more information, see VPN gateway limits.	5
EnableIpsec	boolean	No	Specifies whether to enable IPsec-VPN for the VPN gateway. Valid values: true (default) false	true
EnableSsl	boolean	No	Specifies whether to enable SSL-VPN. Valid values: true false (default)	false
SslConnections	integer	No	The maximum number of clients that can be connected at the same time. Valid values: 5 (default), 10, 20, 50, 100, 200, 500, and 1000.	5
VSwitchId	string	No	The vSwitch with which you want to associate the VPN gateway. If you call this operation in a region that supports the IPsec-VPN connections in dual-tunnel mode, this parameter is required. You must specify a vSwitch and specify DisasterRecoveryVSwitchId. If you call this operation in a region that supports the IPsec-VPN connections in single-tunnel mode and do not specify a vSwitch, the system automatically specifies a vSwitch.	vsw-bp1j5miw2bae9s2vt****
VpnType	string	No	The type of the VPN gateway. Valid values: Set the value to Normal (default), which specifies a standard NAT gateway.	Normal
ClientToken	string	No	The client token that is used to ensure the idempotence of the request. You can use the client to generate a value, and you must make sure that each request has a unique token value. The client token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the value of RequestId as the value of ClientToken. The value of RequestId for each API request is different.	02fb3da4****
NetworkType	string	No	The network type of the VPN gateway. Valid values: public (default) private	public
DisasterRecoveryVSwitchId	string	No	The second vSwitch with which you want to associate the VPN gateway. If you call this operation in a region that supports the IPsec-VPN connections in dual-tunnel mode, this parameter is required. You need to specify two vSwitches in different zones in the virtual private cloud (VPC) that is associated with the VPN gateway to implement disaster recovery across zones. For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability. You can specify the same vSwitch. For more information about the regions and zones that support the IPsec-VPN connections in dual-tunnel mode, see IPsec-VPN connections support the dual-tunnel mode.	vsw-p0wiz7obm0tbimu4r****
ResourceGroupId	string	No	The ID of the resource group to which the VPN gateway belongs. You can call the ListResourceGroups operation to query resource group IDs. If you do not specify a resource group ID, the VPN gateway belongs to the default resource group. After the VPN gateway is created, the following resources also belong to the resource group and you cannot change the resource group: SSL servers, SSL client certificates, IPsec servers, and IPsec-VPN connections. If you move the VPN gateway to a new resource group, the preceding resources are also moved to the new resource group.	rg-acfmzs372yg****

Response parameters

Parameter	Type	Description	Example
	object	The returned data.
VpnGatewayId	string	The ID of the VPN gateway.	vpn-uf68lxhgr7ftbqr3p****
RequestId	string	The request ID.	EB2C156A-41F8-49CC-A756-D55AFC8BFD69
Name	string	The name of the VPN gateway.	MYVPN
OrderId	long	The order ID. If automatic payment is disabled, you must manually complete the payment for the VPN gateway in the Alibaba Cloud Management console.	208240895400460

Examples

Sample success responses

JSONformat

{
  "VpnGatewayId": "vpn-uf68lxhgr7ftbqr3p****",
  "RequestId": "EB2C156A-41F8-49CC-A756-D55AFC8BFD69",
  "Name": "MYVPN",
  "OrderId": 208240895400460
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidVpcId.NotFound	The specified VPC id does not exist in our records.	-
400	InvalidName	The specified value of Name not supported.	-
400	InvalidSpec.NotFound	The specified Spec does not exist in our records.	-
400	InvalidPeriod	The specified period is not valid	-
400	ChargeType.NotSupport	The specified charge type is not support.	-
400	InventoryNotEnough	The inventory is not enough.	-
400	UnnecessarySslConnection	The SSL connection is unnecessary for ssl vpn disabled.	-
400	InvalidVpnEnable	Either IPsec or SSL VPN must be set enable.	-
400	Resource.QuotaFull	The quota of resource is full	The resource quota is exhausted.
400	InvalidVSwitchId.NotFound	The specified vswitchId is not found.	-
400	OperationFailed.InventoryNotEnough	No enough available resource. Try another vswitch with different available zone.	-
400	Forbidden.OperateShareResource	Operating shared resources is forbidden.	-
400	OperationFailed.IpNotEnough	Operation failed because private ip address of the virtual switch is not enough.	-
400	Forbidden.NoSLRPermission	User not authorized to create service linked role.	-
400	OperationFailed.VSwitchConflict	The vswitch can't create vpn. Try another vswitch.	-
400	OperationFailed.AzNotSupport	Current available zone can't create vpn. Try another vswitch with different available zone.	-
400	OperationFailed.NetworkTypeNotMatch	Create NationalStandard vpn with private networkType is unsupported.	-
400	OperationFailed.SslNotSupport	Enable ssl vpn with private networkType is unsupported.	You cannot enable the SSL feature for a private VPN gateway.
400	Forbidden.TagKey.Duplicated	The specified tag key already exists.	The tag resources are duplicate.
400	SizeLimitExceeded.TagNum	The maximum number of tags is exceeded.	The number of tags has reached the upper limit.
400	InvalidParameter.TagValue	The specified parameter TagValue is invalid.	The error message returned because the specified tag value is invalid.
400	InvalidParameter.TagKey	The specified parameter TagKey is invalid.	The error message returned because the specified tag key is invalid.
400	Duplicated.TagKey	The specified parameter TagKey is duplicated.	The error message returned because the specified tag key already exists.
400	InternalError	The request processing has failed due to some unknown error, exception or failure.	An internal error occurred.
400	InvalidVSwitchId.SecondVswitchNotSupport	The available zone of vswitch2 not supported.	The zone of the secondary vSwitch does not support the feature.
400	Resource.QuotaFull	The resources you are operating have reached the upper limit of the quota. Please increase the quota or use other solutions to avoid it according to the VPN operation document.	The resources you are operating have reached the upper limit of the quota. Please refer to the VPN operation document to increase the quota or use other schemes to avoid it.
400	InvalidVSwitchId.FirstVswitchNotSupport	The available zone of vswitch1 not supported.	The zone where the primary vSwitch is located is not supported.
400	InvalidVSwitchId.VswitchIdShouldDifferent	The VSwitch ids should be different.	The primary zone cannot be the same as the secondary zone.
400	InvalidVSwitchId.FirstVswitchIpNotEnough	The ip of vswitch1 not enough.	Insufficient number of available IPs in primary vSwitch.
400	InvalidVSwitchId.SecondVswitchIpNotEnough	The ip of vswitch2 not enough.	Insufficient IP addresses are available in the standby vSwitch.
400	InvalidVSwitchId.ZoneIdShouldDifferent	Two vSwitches should belong to different Availability Zones.	When you create a dual-tunnel VPN gateway, the two vSwitches that you specify must belong to different zones.
404	InvalidRegionId.NotFound	The specified region is not found during access authentication.	The specified area is not found during authentication.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-06-18	The Error code has changed	View Change Details
2024-01-04	The Error code has changed	View Change Details
2023-10-19	API Description Update. The API operation is not deprecated.. The Error code has changed. The request parameters of the API has changed	View Change Details
2023-06-30	The Error code has changed. The request parameters of the API has changed	View Change Details
2023-05-04	The Error code has changed	View Change Details