ModifySslVpnServer

更新时间:
复制 MD 格式

Calls the ModifySslVpnServer operation to modify the configuration of an SSL-VPN server.

Operation description

  • If you want to enable two-factor authentication for the SSL server, first make sure the VPN gateway instance supports this feature. You may need to upgrade the VPN gateway instance. For more information, see SSL-VPN two-factor authentication supports IDaaS EIAM 2.0.

  • When only the Name of the SSL-VPN server is modified, this operation is synchronous. If configurations other than Name are also modified, this operation is asynchronous.

  • When the ModifySslVpnServer operation is asynchronous, the system first returns a request ID, but the configuration of the SSL-VPN server has not been modified yet, and the modification task is still in progress in the background. You can call the DescribeVpnGateway operation to query the status of the VPN gateway instance associated with the SSL-VPN server to confirm the modification status of the SSL-VPN server configuration:

    • When the VPN gateway instance is in the updating state, the configuration of the SSL-VPN server is being modified.

    • When the VPN gateway instance is in the active state, the configuration of the SSL-VPN server has been modified successfully.

  • The ModifySslVpnServer operation does not support concurrent modification of SSL-VPN server configurations under the same VPN gateway.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

vpc:ModifySslVpnServer

update

*SslVpnServer

acs:vpc:{#regionId}:{#accountId}:sslvpnserver/{#SslVpnServerId}

None None

Request parameters

Parameter

Type

Required

Description

Example

ClientToken

string

No

The client token that is used to ensure the idempotency of the request.

Generate a parameter value from your client to ensure uniqueness across different requests. ClientToken supports only ASCII characters.

Note

If you do not specify this parameter, the system automatically uses the RequestId of the API request as the ClientToken. The RequestId of each API request is different.

02fb3da4-130e-11e9-8e44-0016e04115b

RegionId

string

Yes

The region ID of the VPN gateway.

You can call the DescribeRegions operation to query region IDs.

cn-hangzhou

SslVpnServerId

string

Yes

The ID of the SSL-VPN server instance.

vss-bp18q7hzj6largv4v****

Name

string

No

The name of the SSL-VPN server.

The name must be 1 to 100 characters in length and cannot start with http:// or https://.

test

ClientIpPool

string

No

The client CIDR block.

This is the CIDR block used to allocate IP addresses to the virtual network interface of the client, not the existing internal CIDR block of the client.

When the client accesses the local end through an SSL-VPN connection, the VPN gateway allocates an IP address from the specified client CIDR block to the client. The client uses the allocated IP address to access cloud resources.

When you specify the client CIDR block, make sure that the number of IP addresses in the client CIDR block is at least four times the number of SSL connections of the current VPN gateway.

Click to view the reason.

For example, if the client CIDR block you specify is 192.168.0.0/24, when the system allocates IP addresses to the client, it first divides a subnet with a 30-bit subnet mask from the 192.168.0.0/24 CIDR block, such as 192.168.0.4/30, and then allocates one IP address from 192.168.0.4/30 for the client to use. The remaining three IP addresses are occupied by the system to ensure network communication. In this case, one client consumes 4 IP addresses. Therefore, to ensure that all your clients can be allocated IP addresses, make sure that the number of IP addresses in the client CIDR block you specify is at least four times the number of SSL connections of the VPN gateway.

Click to view unsupported CIDR blocks.

  • 100.64.0.0~100.127.255.255

  • 127.0.0.0~127.255.255.255

  • 169.254.0.0~169.254.255.255

  • 224.0.0.0~239.255.255.255

  • 255.0.0.0~255.255.255.255

Click to view recommended client CIDR blocks for each SSL connection count.

  • If the number of SSL connections is 5, the subnet mask of the client CIDR block should be less than or equal to 27 bits. For example: 10.0.0.0/27 or 10.0.0.0/26.

  • If the number of SSL connections is 10, the subnet mask of the client CIDR block should be less than or equal to 26 bits. For example: 10.0.0.0/26 or 10.0.0.0/25.

  • If the number of SSL connections is 20, the subnet mask of the client CIDR block should be less than or equal to 25 bits. For example: 10.0.0.0/25 or 10.0.0.0/24.

  • If the number of SSL connections is 50, the subnet mask of the client CIDR block should be less than or equal to 24 bits. For example: 10.0.0.0/24 or 10.0.0.0/23.

  • If the number of SSL connections is 100, the subnet mask of the client CIDR block should be less than or equal to 23 bits. For example: 10.0.0.0/23 or 10.0.0.0/22.

  • If the number of SSL connections is 200, the subnet mask of the client CIDR block should be less than or equal to 22 bits. For example: 10.0.0.0/22 or 10.0.0.0/21.

  • If the number of SSL connections is 500, the subnet mask of the client CIDR block should be less than or equal to 21 bits. For example: 10.0.0.0/21 or 10.0.0.0/20.

  • If the number of SSL connections is 1000, the subnet mask of the client CIDR block should be less than or equal to 20 bits. For example: 10.0.0.0/20 or 10.0.0.0/19.

Note
  • The subnet mask of the client CIDR block must be between 16 and 29 bits.

  • Make sure that the client CIDR block does not overlap with the local subnet, VPC CIDR block, or any route CIDR blocks associated with the client terminal.

  • When specifying the client CIDR block, we recommend that you use the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 CIDR blocks and their subnets. If you need to specify a public CIDR block as the client CIDR block, you must set the public CIDR block as a user CIDR block of the VPC to ensure that the VPC can access the public CIDR block. For more information about user CIDR blocks, see VPC FAQ.

  • After the SSL server is created, the system automatically adds routes for the client CIDR block to the route table of the VPC instance. Do not manually add routes for the client CIDR block to the route table of the VPC instance. Otherwise, SSL-VPN connection traffic transmission will be abnormal.

10.30.30.0/24

LocalSubnet

string

No

The local subnet.

The CIDR block that the client needs to access through the SSL-VPN connection.

The local subnet can be the CIDR block of a VPC, a vSwitch, an IDC interconnected with the VPC through Express Connect, or a cloud service such as Object Storage Service (OSS).

The subnet mask of the local subnet must be between 8 and 32 bits. The following CIDR blocks cannot be specified as local subnets:

  • 127.0.0.0~127.255.255.255

  • 169.254.0.0~169.254.255.255

  • 224.0.0.0~239.255.255.255

  • 255.0.0.0~255.255.255.255

10.20.20.0/24

Proto

string

No

The protocol used by the SSL-VPN server. Valid values:

  • TCP (default): TCP protocol.

  • UDP: UDP protocol.

UDP

Cipher

string

No

The encryption algorithm used by SSL-VPN. Valid values:

  • AES-128-CBC (default): AES-128-CBC algorithm.

  • AES-192-CBC: AES-192-CBC algorithm.

  • AES-256-CBC: AES-256-CBC algorithm.

  • none: No encryption algorithm is used.

AES-128-CBC

Port

integer

No

The port used by the SSL-VPN server. Valid values: 1 to 65535. Default value: 1194.

The following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, and 4500.

1194

Compress

boolean

No

Specifies whether to compress the communication. Valid values:

  • true (default): Compresses the communication.

  • false: Does not compress the communication.

true

EnableMultiFactorAuth

boolean

No

Specifies whether to enable two-factor authentication. If you choose to enable two-factor authentication, you also need to configure IDaaSInstanceId, IDaaSRegionId, and IDaaSApplicationId. Valid values:

  • true: Enabled.

  • false: Not enabled.

Note
  • If you are using the two-factor authentication feature for the first time, complete the authorization before creating the SSL server.

  • When creating an SSL server in the UAE (Dubai) region, we recommend that you bind an IDaaS EIAM 2.0 instance in the Singapore region to reduce cross-region latency.

  • IDaaS EIAM 1.0 instances are no longer available for purchase. If your Alibaba Cloud account has existing IDaaS EIAM 1.0 instances, you can still bind them after enabling two-factor authentication. If your Alibaba Cloud account does not have IDaaS EIAM 1.0 instances, only IDaaS EIAM 2.0 instances can be bound after enabling two-factor authentication.

false

IDaaSInstanceId

string

No

The ID of the IDaaS EIAM instance.

idaas-cn-hangzhou-****

IDaaSRegionId

string

No

The region ID of the IDaaS EIAM instance.

cn-hangzhou

IDaaSApplicationId

string

No

The ID of the IDaaS application.

  • If you bind an IDaaS EIAM 2.0 instance, you must enter the IDaaS application ID.

  • If you bind an IDaaS EIAM 1.0 instance, you do not need to enter the IDaaS application ID.

app_my6g4qmvnwxzj2f****

DryRun

boolean

No

Specifies whether to perform only a dry run, without actually modifying the configuration. Valid values:

  • true: Sends a check request without modifying the SSL server configuration. The check items include whether all required parameters are specified, request format, and service limits. If the check fails, the corresponding error is returned. If the check passes, the error code DryRunOperation is returned.

  • false (default): Sends a normal request. After the check passes, an HTTP 2xx status code is returned, and the operation is performed.

false

Response elements

Element

Type

Description

Example

object

The response parameters.

InternetIp

string

The public IP address.

47.98.XX.XX

IDaaSInstanceId

string

The ID of the IDaaS EIAM instance.

idaas-cn-hangzhou-****

CreateTime

integer

The creation time of the SSL-VPN server.

1492753580000

VpnGatewayId

string

The ID of the VPN gateway instance.

vpn-bp1q8bgx4xnkm2ogj****

Compress

boolean

Indicates whether communication is compressed.

false

Port

integer

The port of the SSL-VPN server.

1194

LocalSubnet

string

The local subnet.

10.20.20.0/24

RegionId

string

The region ID of the SSL-VPN server.

cn-hangzhou

Cipher

string

The encryption algorithm used.

AES-128-CBC

RequestId

string

The request ID.

DF11D6F6-E35A-41C3-9B20-6FC8A901FE65

Connections

integer

The current number of connections.

0

SslVpnServerId

string

The ID of the SSL-VPN server.

vss-bp18q7hzj6largv4v****

MaxConnections

integer

The maximum number of connections.

5

Name

string

The name of the SSL-VPN server.

test

EnableMultiFactorAuth

boolean

Indicates whether two-factor authentication is enabled.

  • true: Enabled.

  • false (default): Not enabled.

false

ClientIpPool

string

The client CIDR block.

10.30.30.0/24

Proto

string

The protocol used by the SSL-VPN server.

UDP

ResourceGroupId

string

The ID of the resource group to which the SSL-VPN server belongs.

The resource group of the SSL-VPN server is the same as that of the associated VPN gateway instance. You can call the ListResourceGroups operation to query resource group information.

rg-acfmzs372yg****

IDaaSApplicationId

string

The ID of the IDaaS application.

app_my6g4qmvnwxzj2f****

IDaaSInstanceVersion

string

The version of the IDaaS EIAM instance.

  • This parameter is returned only when the SSL server is bound to an IDaaS EIAM 2.0 instance. The only valid value is EIAM 2.0.

  • If the SSL server is bound to an IDaaS EIAM 1.0 instance, this parameter is not returned.

EIAM 2.0

Examples

Success response

JSON format

{
  "InternetIp": "47.98.XX.XX",
  "IDaaSInstanceId": "idaas-cn-hangzhou-****",
  "CreateTime": 1492753580000,
  "VpnGatewayId": "vpn-bp1q8bgx4xnkm2ogj****",
  "Compress": false,
  "Port": 1194,
  "LocalSubnet": "10.20.20.0/24",
  "RegionId": "cn-hangzhou",
  "Cipher": "AES-128-CBC",
  "RequestId": "DF11D6F6-E35A-41C3-9B20-6FC8A901FE65",
  "Connections": 0,
  "SslVpnServerId": "vss-bp18q7hzj6largv4v****",
  "MaxConnections": 5,
  "Name": "test",
  "EnableMultiFactorAuth": false,
  "ClientIpPool": "10.30.30.0/24",
  "Proto": "UDP",
  "ResourceGroupId": "rg-acfmzs372yg****",
  "IDaaSApplicationId": "app_my6g4qmvnwxzj2f****",
  "IDaaSInstanceVersion": "EIAM 2.0"
}

Error codes

HTTP status code

Error code

Error message

Description

400 InvalidName The name is not valid
400 VpnGateway.Configuring The specified service is configuring.
400 VpnGateway.FinancialLocked The specified service is financial locked.
400 IpConflict Client IP pool conflict with local IP range. The client IP pool conflicts with the local IP range.
400 SslVpnServer.AddRouteError Add route error whose destination is client IP pool, please check vpc route entry and relevant quota. The system failed to add the route that points to the client CIDR block. View the VPC route and quota.
400 ClientIpPool.NetmaskInvalid The netmask length of client IP pool must be greater than or equal to 16 and less than or equal to 29. The subnet mask of the client IP pool must range from 16 to 29.
400 ClientIpPool.SubnetInvalid The specified client IP pool cannot be used. The client CIDR block is unavailable.
400 MissingParameter.IDaaSInstanceId The input parameter IDaaSInstanceId is mandatory when enable multi-factor authentication. You must set the IDaaSInstanceId parameter when you enable two-factor authentication.
400 OperationFailed.GetIDaaSInfo Failed to get secret key from your IDaaS instance.
400 OperationFailed.NoRamPermission Vpn Service has no permission to operate your IDaaS instances. The VPN service does not have the permissions to manage your IDaaS instance.
400 OperationUnsupported.NotSupportMultiFactorAuth Current version of the VPN does not support multi-factor authentication.
400 SystemBusy The system is busy. Please try again later.
400 SslVpnServerPort.Illegal The server port is not in the range of [1-65535]. The port of the SSL-VPN server must be from 1 to 65535.
400 EnableHaCheck.SslVpnServerClientCidrContainsVpcRouteDest Ssl vpn client cidr contains vpc route prefix. The vpc route prefix is %s. The prefix %s in the VPC route table falls within the CIDR block of the SSL client.
400 InvalidInstanceId.NotFound InstanceId is not found. The Express Connect circuit ID is invalid.
400 VpnRouteEntry.Conflict The specified route entry has conflict. Route conflicts exist.
400 IllegalParam.IDaaSApplicationId The specified IDaaS application Id is not illegal, the application instance needs to be created based on the dedicated SSL VPN template. The specified IDaaS application instance ID is invalid. The application instance must be created based on the dedicated SSL VPN template.
400 MissingParam.IDaaSApplicationId The input parameter IDaaSApplicationId is mandatory when enable multi-factor authentication. Enter the IDaaSApplicationId parameters when starting two-factor authentication.
400 SslVpnIDaaS2.NotSupport Current version of the VPN does not support IDaaS2.0. The current version of the VPN instance does not support IDaaS2.0.
400 MissingParam.IDaaSRegionId The input parameter IDaaSRegionId is mandatory when enable multi-factor authentication. Enter the IDaaSRegionId parameters when starting two-factor authentication.
400 DryRunOperation Request validation has been passed with DryRun flag set. The request passed the dry run.
400 IllegalParam.LocalSubnet The specified "LocalSubnet" (%s) is invalid. The specified "LocalSubnet" (%s) is invalid.
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user.
403 Forbidden User not authorized to operate on the specified resource. You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404 InvalidRegionId.NotFound The specified region is not found during access authentication. The specified area is not found during authentication.
404 InvalidIDaaSInstanceId.NotFound The specified IDaaS instance ID does not exist. The specified IDaaS instance does not exist.
404 InvalidIDaaSApplicationId.NotFound The specified IDaaS application Id does not exist. The ID of the specified IDaaS application instance does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.