Create a VPN gateway

Before you use an SSL-VPN connection to connect a client to a virtual private cloud (VPC), you must create a VPN gateway and enable the SSL-VPN feature for the VPN gateway. After the VPN gateway is created, Alibaba Cloud deploys the resources that the VPN gateway requires.

Limits

The peak bandwidth for data transfer between a data center and a VPN gateway varies in the supported IPsec-VPN tunnel mode and bandwidth of the VPN gateway. The following table describes the details.

Supported IPsec-VPN tunnel mode	Bandwidth of VPN gateway	Peak bandwidth for data transfer from a VPN gateway to a data center	Peak bandwidth for data transfer from a data center to a VPN gateway
Dual-tunnel mode	Greater than 10 Mbit/s	The bandwidth of the VPN gateway	The bandwidth of the VPN gateway
Dual-tunnel mode	Less than or equal to 10 Mbit/s	The bandwidth of the VPN gateway	10 Mbit/s
Single-tunnel mode	Greater than 100 Mbit/s	The bandwidth of the VPN gateway	The bandwidth of the VPN gateway
Single-tunnel mode	Less than or equal to 100 Mbit/s	The bandwidth of the VPN gateway	100 Mbit/s

The maximum bandwidth supported by a VPN gateway varies in different regions. The maximum bandwidth in some regions can reach 1,000 Mbit/s.

Maximum bandwidth	Region
1,000 Mbit/s	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Thailand (Bangkok), South Korea (Seoul), Philippines (Manila), US (Silicon Valley), US (Virginia), Germany (Frankfurt), and UK (London)
500 Mbit/s	China (Nanjing - Local Region), Australia (Sydney) Closing Down, UAE (Dubai), and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner.

Log on to the VPN Gateway console.
In the top navigation bar, select the region in which you want to create a VPN gateway.
Make sure that the VPN gateway resides in the same region as the VPC that you want to associate with the VPN gateway.
On the VPN Gateways page, click Create VPN Gateway.

On the buy page, configure the parameters that are described in the following table, click Buy Now, and then complete the payment.

Parameter	Description
Instance Name	The name of the VPN gateway.
Resource Group	The resource group to which the VPN gateway belongs. If you leave this parameter empty, the VPN gateway belongs to the default resource group. You can manage the resource group to which the VPN gateway belongs and resource groups to which other cloud resources belong in the Resource Management console. For more information, see What is Resource Management?
Region	The region in which you want to create the VPN gateway. Make sure that the VPN gateway resides in the same region as the VPC that you want to associate with the client.
Gateway Type	The type of the VPN gateway. Default value: Standard.
Network Type	The network type of the VPN gateway. Set the value to Public, which indicates that the VPN gateway can be used to establish SSL-VPN connections over the Internet.
Tunnels	The tunnel mode of the VPN gateway. The system displays the tunnel modes that are supported in this region. Valid values: Single-tunnel Dual-tunnel
VPC	The VPC with which you want to associate the VPN gateway. The VPN gateway must be associated with the VPC to which the client wants to communicate.
vSwitch	The vSwitch with which you want to associate the VPN gateway. Select a vSwitch from the selected VPC. If you select Single-tunnel, you need to specify only one vSwitch. If you select Dual-tunnel, you need to specify two vSwitches. After the IPsec-VPN feature is enabled, the system creates an elastic network interface (ENI) for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch. Note By default, the system selects a vSwitch. You can change or use the default vSwitch. After a VPN gateway is created, you cannot modify the vSwitch associated with the VPN gateway. You can view the vSwitch associated with the VPN gateway, the zone to which the vSwitch belongs, and the ENI in the vSwitch on the details page of the VPN gateway.
vSwitch 2	The other vSwitch with which you want to associate the VPN gateway in the associated VPC if you select Dual-tunnel. You need to specify two vSwitches in different zones in the associated VPC. For a region that supports only one zone, we recommend that you specify two different vSwitches in the zone. Regions that support only one zone China (Nanjing - Local Region), Thailand (Bangkok), South Korea (Seoul), Australia (Sydney) Closing Down, Philippines (Manila), and UAE (Dubai)
Maximum Bandwidth	The maximum bandwidth of the VPN gateway. Unit: Mbit/s.
Traffic	The metering method of the VPN gateway. Default value: Pay-by-data-transfer.
IPsec-VPN	Specifies whether to enable the IPsec-VPN feature for the VPN gateway. You do not need to enable this feature for the VPN gateway to establish an SSL-VPN connection.
SSL-VPN	Specifies whether to enable the SSL-VPN feature for the VPN gateway. You must enable this feature to establish an SSL-VPN connection. Note If the VPN gateway that you create is in dual-tunnel mode, after the IPsec-VPN feature is enabled, the system creates an ENI for each of the two vSwitches as an interface to communicate with the VPC over an IPsec-VPN connection. Each ENI occupies one IP address in the vSwitch. The ENI generated when the SSL-VPN feature is enabled and the ENI generated when the IPsec-VPN feature is enabled are independent of each other. If both the IPsec-VPN and SSL-VPN features are enabled for the VPN gateway, the system creates four ENIs in the vSwitch of the VPC.
SSL Connections	The number of clients that can be connected to the VPN gateway.
Duration	The billing cycle of the VPN gateway. Default value: By Hour.
Service-linked Role	The service-linked role of VPN Gateway. Click Create Service-linked Role. The system automatically creates the service-linked role AliyunServiceRoleForVpn. VPN Gateway assumes this role to access other cloud resources. For more information, see AliyunServiceRoleForVpn. If Created is displayed, the service-linked role is created, and you do not need to create it again.

After the VPN gateway is created, the system assigns a public IP address to the VPN gateway to establish an SSL-VPN connection between the client and VPN gateway. 创建SSL-VPN

What to do next

After the VPN gateway is created, you must also create an SSL server before you establish an SSL-VPN connection. For more information, see Create and manage an SSL server.

Modify the name and description of a VPN gateway

Log on to the VPN Gateway console.
In the top navigation bar, select the region in which the VPN gateway resides.
On the VPN Gateways page, find the VPN gateway that you want to manage and click its ID.
In the Basic Information section on the details page of the VPN gateway, modify the name and description of the VPN gateway.
- Click Edit next to the Name parameter. In the dialog box that appears, modify the name of the VPN gateway and click OK.
- Click Edit next to the Description field. In the dialog box that appears, modify the description and click OK.

Delete a VPN gateway

Before you delete a VPN gateway, make sure that no IPsec-VPN connection, SSL server, or IPsec server exists on the VPN gateway. For more information, see the following sections of related topics:

Log on to the VPN Gateway console.
In the top navigation bar, select the region in which the VPN gateway resides.
On the VPN Gateways page, find the VPN gateway that you want to delete and click Delete in the Actions column.
In the Delete VPN Gateway message, click OK.

Create and manage VPN gateways by calling API operations

You can call API operations to create and manage VPN gateways by using tools such as Alibaba Cloud SDKs, Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS). We recommend that you use Alibaba Cloud SDKs. For more information about the related API operations, see the following topics:

CreateVpnGateway: creates a VPN gateway.
ModifyVpnGatewayAttribute: modifies the name and description of a VPN gateway.
DeleteVpnGateway: deletes a VPN gateway.
DescribeVpnGateway: queries the information about a VPN gateway.
DescribeVpnGateways: queries the information about VPN gateways in a region.
MoveVpnResourceGroup: modifies the resource group to which a VPN gateway belongs.