Document Center

All Products

Document Center

VPN Gateway:Limits

Last Updated:Dec 12, 2024

This topic describes the limits on the usage and performance of IPsec-VPN connections. This topic also describes how to request a quota increase.

Limits on VPN gateways

Item	Default value	Adjustable
Maximum number of VPN gateways that you can create with each Alibaba Cloud account	30 Note This quota is determined only by the number of Alibaba Cloud accounts and is irrelevant to regions or virtual private clouds (VPCs). For example, the following limits apply to each Alibaba Cloud account: You can create at most 30 VPN gateways for one VPC in one region. You can create at most 30 VPN gateways for multiple VPCs in multiple regions.	You can use one of the following methods to increase the quota: Go to the Quota Management page and request a quota increase. For more information, see the Increase quotas section of the "Manage VPN Gateway quotas" topic. Go to the Quota Center console and request a quota increase. For more information, see the Increase quotas section of the "Manage VPN Gateway quotas" topic.
Maximum bandwidth supported by a VPN gateway	1000 Mbps Note The maximum bandwidth supported by VPN gateways in some regions is 500 Mbit/s. For more information about the regions, see the Limits section of the "Create and manage a VPN gateway" topic.	N/A. You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic.
Total number of inbound and outbound packets that can be transmitted by a VPN gateway per second	120,000 (256 bytes per packet) Note If a VPN gateway has multiple IPsec-VPN connections, the sum of inbound and outbound packets transmitted through these connections per second must not exceed 120,000. Each packet is 256 bytes in size.	N/A.
Maximum number of connections supported by a VPN gateway	200,000 Note A network 5-tuple uniquely identifies a connection. A 5-tuple consists of a source IP address, a destination IP address, a source port number, a destination port number, and the protocol in use. The connections can be established by using the TCP, UDP, and Internet Control Message Protocol (ICMP) protocols.	N/A.
Maximum number of routes supported by the BGP route table of a VPN gateway	50	Submit a ticket or contact your account manager. You can increase the quota up to 200.
Maximum number of policy-based routes supported by each VPN gateway	20	You can use one of the following methods to increase the quota: Go to the Quota Management page and request a quota increase. For more information, see the Increase quotas section of the "Manage VPN Gateway quotas" topic. Go to the Quota Center console and request a quota increase. For more information, see the Increase quotas section of the "Manage VPN Gateway quotas" topic.
Maximum number of destination-based routes supported by each VPN gateway	30

Limits on customer gateways

Item	Default value	Adjustable
Maximum number of customer gateways that you can create in each region	150	N/A.

Limits on IPsec-VPN connections

Item	Default value	Adjustable
Maximum number of IPsec-VPN connections that you can create on each VPN gateway	10	You can use one of the following methods to increase the quota: Go to the Quota Management page and request a quota increase. For more information, see the Increase quotas section of the "Manage VPN Gateway quotas" topic. Go to the Quota Center console and request a quota increase. For more information, see the Increase quotas section of the "Manage VPN Gateway quotas" topic.
Maximum number of local CIDR blocks that can be added to each IPsec-VPN connection	5	N/A.
Maximum number of peer CIDR blocks that can be added to each IPsec-VPN connection	5
Maximum number of transit routers that can be associated with an IPsec-VPN connection	1
Maximum number of IPsec-VPN connections for equal-cost multi-path (ECMP) routing supported by a transit router	16
The bandwidth supported by an IPsec-VPN connection after the IPsec-VPN connection is associated with a transfer router	In single-tunnel mode, an IPsec-VPN connection supports up to 1,000 Mbit/s. In dual-tunnel mode, an IPsec-VPN connection supports up[ to 2,000 Mbit/s. Each tunnel supports up to 1,000 Mbit/s.	N/A. You can increase the bandwidth of an IPsec-VPN connection by using other methods. For more information, see the How do I increase the maximum bandwidth of IPsec-VPN connections? section of the "FAQ about VPN gateways" topic. in which the RDS instance resides.
Total number of inbound and outbound packets that can be transmitted per second through an IPsec-VPN connection after the IPsec-VPN connection is associated with a transit router	In single-tunnel mode, the total number of inbound and outbound packets that can be transmitted through an IPsec-VPN connection per second is 120,000. Each packet is 256 bytes in size. In dual-tunnel mode, the total number of inbound and outbound packets that can be transmitted through a tunnel per second is 120,000. Each packet is 256 bytes in size.	N/A.
Maximum number of connections supported by an IPsec-VPN after the IPsec-VPN connection is associated with a transit router	200,000 Note A network 5-tuple uniquely identifies a connection. A 5-tuple consists of a source IP address, a destination IP address, a source port number, a destination port number, and the protocol in use. The connections can be established by using the TCP, UDP, and Internet Control Message Protocol (ICMP) protocols.	N/A.
Ports that are not supported by IPsec-VPN connections	2222 Note Port 2222 is used only within a VPN gateway. Requests destined for port 2222 of an IPsec-VPN connection are dropped.	N/A.