Calls the ModifySslVpnServer operation to modify the configuration of an SSL-VPN server.
Operation description
-
If you want to enable two-factor authentication for the SSL server, first make sure the VPN gateway instance supports this feature. You may need to upgrade the VPN gateway instance. For more information, see SSL-VPN two-factor authentication supports IDaaS EIAM 2.0.
-
When only the Name of the SSL-VPN server is modified, this operation is synchronous. If configurations other than Name are also modified, this operation is asynchronous.
-
When the ModifySslVpnServer operation is asynchronous, the system first returns a request ID, but the configuration of the SSL-VPN server has not been modified yet, and the modification task is still in progress in the background. You can call the DescribeVpnGateway operation to query the status of the VPN gateway instance associated with the SSL-VPN server to confirm the modification status of the SSL-VPN server configuration:
When the VPN gateway instance is in the updating state, the configuration of the SSL-VPN server is being modified.
When the VPN gateway instance is in the active state, the configuration of the SSL-VPN server has been modified successfully.
-
The ModifySslVpnServer operation does not support concurrent modification of SSL-VPN server configurations under the same VPN gateway.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
vpc:ModifySslVpnServer |
update |
*SslVpnServer
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| ClientToken |
string |
No |
The client token that is used to ensure the idempotency of the request. Generate a parameter value from your client to ensure uniqueness across different requests. ClientToken supports only ASCII characters. Note
If you do not specify this parameter, the system automatically uses the RequestId of the API request as the ClientToken. The RequestId of each API request is different. |
02fb3da4-130e-11e9-8e44-0016e04115b |
| RegionId |
string |
Yes |
The region ID of the VPN gateway. You can call the DescribeRegions operation to query region IDs. |
cn-hangzhou |
| SslVpnServerId |
string |
Yes |
The ID of the SSL-VPN server instance. |
vss-bp18q7hzj6largv4v**** |
| Name |
string |
No |
The name of the SSL-VPN server. The name must be 1 to 100 characters in length and cannot start with |
test |
| ClientIpPool |
string |
No |
The client CIDR block. This is the CIDR block used to allocate IP addresses to the virtual network interface of the client, not the existing internal CIDR block of the client. When the client accesses the local end through an SSL-VPN connection, the VPN gateway allocates an IP address from the specified client CIDR block to the client. The client uses the allocated IP address to access cloud resources. When you specify the client CIDR block, make sure that the number of IP addresses in the client CIDR block is at least four times the number of SSL connections of the current VPN gateway. Note
|
10.30.30.0/24 |
| LocalSubnet |
string |
No |
The local subnet. The CIDR block that the client needs to access through the SSL-VPN connection. The local subnet can be the CIDR block of a VPC, a vSwitch, an IDC interconnected with the VPC through Express Connect, or a cloud service such as Object Storage Service (OSS). The subnet mask of the local subnet must be between 8 and 32 bits. The following CIDR blocks cannot be specified as local subnets:
|
10.20.20.0/24 |
| Proto |
string |
No |
The protocol used by the SSL-VPN server. Valid values:
|
UDP |
| Cipher |
string |
No |
The encryption algorithm used by SSL-VPN. Valid values:
|
AES-128-CBC |
| Port |
integer |
No |
The port used by the SSL-VPN server. Valid values: 1 to 65535. Default value: 1194. The following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, and 4500. |
1194 |
| Compress |
boolean |
No |
Specifies whether to compress the communication. Valid values:
|
true |
| EnableMultiFactorAuth |
boolean |
No |
Specifies whether to enable two-factor authentication. If you choose to enable two-factor authentication, you also need to configure IDaaSInstanceId, IDaaSRegionId, and IDaaSApplicationId. Valid values:
Note
|
false |
| IDaaSInstanceId |
string |
No |
The ID of the IDaaS EIAM instance. |
idaas-cn-hangzhou-**** |
| IDaaSRegionId |
string |
No |
The region ID of the IDaaS EIAM instance. |
cn-hangzhou |
| IDaaSApplicationId |
string |
No |
The ID of the IDaaS application.
|
app_my6g4qmvnwxzj2f**** |
| DryRun |
boolean |
No |
Specifies whether to perform only a dry run, without actually modifying the configuration. Valid values:
|
false |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
The response parameters. |
||
| InternetIp |
string |
The public IP address. |
47.98.XX.XX |
| IDaaSInstanceId |
string |
The ID of the IDaaS EIAM instance. |
idaas-cn-hangzhou-**** |
| CreateTime |
integer |
The creation time of the SSL-VPN server. |
1492753580000 |
| VpnGatewayId |
string |
The ID of the VPN gateway instance. |
vpn-bp1q8bgx4xnkm2ogj**** |
| Compress |
boolean |
Indicates whether communication is compressed. |
false |
| Port |
integer |
The port of the SSL-VPN server. |
1194 |
| LocalSubnet |
string |
The local subnet. |
10.20.20.0/24 |
| RegionId |
string |
The region ID of the SSL-VPN server. |
cn-hangzhou |
| Cipher |
string |
The encryption algorithm used. |
AES-128-CBC |
| RequestId |
string |
The request ID. |
DF11D6F6-E35A-41C3-9B20-6FC8A901FE65 |
| Connections |
integer |
The current number of connections. |
0 |
| SslVpnServerId |
string |
The ID of the SSL-VPN server. |
vss-bp18q7hzj6largv4v**** |
| MaxConnections |
integer |
The maximum number of connections. |
5 |
| Name |
string |
The name of the SSL-VPN server. |
test |
| EnableMultiFactorAuth |
boolean |
Indicates whether two-factor authentication is enabled.
|
false |
| ClientIpPool |
string |
The client CIDR block. |
10.30.30.0/24 |
| Proto |
string |
The protocol used by the SSL-VPN server. |
UDP |
| ResourceGroupId |
string |
The ID of the resource group to which the SSL-VPN server belongs. The resource group of the SSL-VPN server is the same as that of the associated VPN gateway instance. You can call the ListResourceGroups operation to query resource group information. |
rg-acfmzs372yg**** |
| IDaaSApplicationId |
string |
The ID of the IDaaS application. |
app_my6g4qmvnwxzj2f**** |
| IDaaSInstanceVersion |
string |
The version of the IDaaS EIAM instance.
|
EIAM 2.0 |
Examples
Success response
JSON format
{
"InternetIp": "47.98.XX.XX",
"IDaaSInstanceId": "idaas-cn-hangzhou-****",
"CreateTime": 1492753580000,
"VpnGatewayId": "vpn-bp1q8bgx4xnkm2ogj****",
"Compress": false,
"Port": 1194,
"LocalSubnet": "10.20.20.0/24",
"RegionId": "cn-hangzhou",
"Cipher": "AES-128-CBC",
"RequestId": "DF11D6F6-E35A-41C3-9B20-6FC8A901FE65",
"Connections": 0,
"SslVpnServerId": "vss-bp18q7hzj6largv4v****",
"MaxConnections": 5,
"Name": "test",
"EnableMultiFactorAuth": false,
"ClientIpPool": "10.30.30.0/24",
"Proto": "UDP",
"ResourceGroupId": "rg-acfmzs372yg****",
"IDaaSApplicationId": "app_my6g4qmvnwxzj2f****",
"IDaaSInstanceVersion": "EIAM 2.0"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | InvalidName | The name is not valid | |
| 400 | VpnGateway.Configuring | The specified service is configuring. | |
| 400 | VpnGateway.FinancialLocked | The specified service is financial locked. | |
| 400 | IpConflict | Client IP pool conflict with local IP range. | The client IP pool conflicts with the local IP range. |
| 400 | SslVpnServer.AddRouteError | Add route error whose destination is client IP pool, please check vpc route entry and relevant quota. | The system failed to add the route that points to the client CIDR block. View the VPC route and quota. |
| 400 | ClientIpPool.NetmaskInvalid | The netmask length of client IP pool must be greater than or equal to 16 and less than or equal to 29. | The subnet mask of the client IP pool must range from 16 to 29. |
| 400 | ClientIpPool.SubnetInvalid | The specified client IP pool cannot be used. | The client CIDR block is unavailable. |
| 400 | MissingParameter.IDaaSInstanceId | The input parameter IDaaSInstanceId is mandatory when enable multi-factor authentication. | You must set the IDaaSInstanceId parameter when you enable two-factor authentication. |
| 400 | OperationFailed.GetIDaaSInfo | Failed to get secret key from your IDaaS instance. | |
| 400 | OperationFailed.NoRamPermission | Vpn Service has no permission to operate your IDaaS instances. | The VPN service does not have the permissions to manage your IDaaS instance. |
| 400 | OperationUnsupported.NotSupportMultiFactorAuth | Current version of the VPN does not support multi-factor authentication. | |
| 400 | SystemBusy | The system is busy. Please try again later. | |
| 400 | SslVpnServerPort.Illegal | The server port is not in the range of [1-65535]. | The port of the SSL-VPN server must be from 1 to 65535. |
| 400 | EnableHaCheck.SslVpnServerClientCidrContainsVpcRouteDest | Ssl vpn client cidr contains vpc route prefix. The vpc route prefix is %s. | The prefix %s in the VPC route table falls within the CIDR block of the SSL client. |
| 400 | InvalidInstanceId.NotFound | InstanceId is not found. | The Express Connect circuit ID is invalid. |
| 400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | Route conflicts exist. |
| 400 | IllegalParam.IDaaSApplicationId | The specified IDaaS application Id is not illegal, the application instance needs to be created based on the dedicated SSL VPN template. | The specified IDaaS application instance ID is invalid. The application instance must be created based on the dedicated SSL VPN template. |
| 400 | MissingParam.IDaaSApplicationId | The input parameter IDaaSApplicationId is mandatory when enable multi-factor authentication. | Enter the IDaaSApplicationId parameters when starting two-factor authentication. |
| 400 | SslVpnIDaaS2.NotSupport | Current version of the VPN does not support IDaaS2.0. | The current version of the VPN instance does not support IDaaS2.0. |
| 400 | MissingParam.IDaaSRegionId | The input parameter IDaaSRegionId is mandatory when enable multi-factor authentication. | Enter the IDaaSRegionId parameters when starting two-factor authentication. |
| 400 | DryRunOperation | Request validation has been passed with DryRun flag set. | The request passed the dry run. |
| 400 | IllegalParam.LocalSubnet | The specified "LocalSubnet" (%s) is invalid. | The specified "LocalSubnet" (%s) is invalid. |
| 403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | |
| 403 | Forbidden | User not authorized to operate on the specified resource. | You do not have the permissions to manage the specified resource. Apply for the permissions and try again. |
| 404 | InvalidRegionId.NotFound | The specified region is not found during access authentication. | The specified area is not found during authentication. |
| 404 | InvalidIDaaSInstanceId.NotFound | The specified IDaaS instance ID does not exist. | The specified IDaaS instance does not exist. |
| 404 | InvalidIDaaSApplicationId.NotFound | The specified IDaaS application Id does not exist. | The ID of the specified IDaaS application instance does not exist. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.