调用CreateSslVpnServer接口创建SSL-VPN服务端-VPN网关-阿里云

调用CreateSslVpnServer接口创建SSL-VPN服务端。

接口说明

CreateSslVpnServer is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeVpnGateway operation to query the status of the task.
- If the VPN gateway is in the updating state, the SSL server is being created.
- If the VPN gateway is in the active state, the SSL server is created.
You cannot repeatedly call the CreateSslVpnServer operation within the specified period of time.

Prerequisite

A VPN gateway is created, and the SSL-VPN feature is enabled for the VPN gateway. For more information, see CreateVpnGateway .
If you want to enable two-factor authentication for the SSL server, make sure that the VPN gateway supports two-factor authentication. You may need to upgrade the VPN gateway. For more information, see Two-factor authentication supports IDaaS EIAM 2.0.

调试

您可以在OpenAPI Explorer中直接运行该接口，免去您计算签名的困扰。运行成功后，OpenAPI Explorer可以自动生成SDK代码示例。

调试

授权信息

下表是API对应的授权信息，可以在RAM权限策略语句的Action元素中使用，用来给RAM用户或RAM角色授予调用此API的权限。具体说明如下：

操作：是指具体的权限点。
访问级别：是指每个操作的访问级别，取值为写入（Write）、读取（Read）或列出（List）。
资源类型：是指操作中支持授权的资源类型。具体说明如下：
- 对于必选的资源类型，用前面加 * 表示。
- 对于不支持资源级授权的操作，用全部资源表示。
条件关键字：是指云产品自身定义的条件关键字。
关联操作：是指成功执行操作所需要的其他权限。操作者必须同时具备关联操作的权限，操作才能成功。

操作	访问级别	资源类型	条件关键字	关联操作
vpc:CreateSslVpnServer	create	SslVpnServer `acs:vpc:{#regionId}:{#accountId}:sslvpnserver/` *VpnGateway `acs:vpc:{#regionId}:{#accountId}:vpngateway/{#VpnGatewayId}`	无	无

请求参数

名称	类型	必填	描述	示例值
ClientToken	string	否	The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. 说明 If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.	02fb3da4-130e-11e9-8e44-0016e04115b
RegionId	string	是	The region ID of the VPN gateway. You can call the DescribeRegions operation to query the most recent region list.	cn-shanghai
VpnGatewayId	string	是	The ID of the VPN gateway.	vpn-bp1hgim8by0kc9nga****
Name	string	否	The SSL server name. The name must be 1 to 100 characters in length and cannot start with `http://` or `https://`.	sslvpnname
ClientIpPool	string	是	The client CIDR block. The CIDR block from which an IP address is allocated to the virtual network interface controller (NIC) of the client, rather than the private CIDR block. If the client accesses the SSL server over an SSL-VPN connection, the VPN gateway assigns an IP address from the specified client CIDR block for the client to access cloud resources. Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway. Click to view the reason. For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24, such as 192.168.0.4/30. This subnet provides up to four IP addresses. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address is assigned to your client, the number of IP addresses in the client CIDR block must be at least four times the maximum number of SSL-VPN connections supported by the VPN gateway with which the SSL server is associated. Click to view the CIDR blocks that are not supported. 100.64.0.0~100.127.255.255 127.0.0.0~127.255.255.255 169.254.0.0~169.254.255.255 224.0.0.0~239.255.255.255 255.0.0.0~255.255.255.255 Click to view the recommended client CIDR blocks for different numbers of SSL-VPN connections. If the number of SSL-VPN connections is 5, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 27 bits in length. Examples: 10.0.0.0/27 and 10.0.0.0/26. If the number of SSL-VPN connections is 10, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 26 bits in length. Examples: 10.0.0.0/26 and 10.0.0.0/25. If the number of SSL-VPN connections is 20, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 25 bits in length. Examples: 10.0.0.0/25 and 10.0.0.0/24. If the number of SSL-VPN connections is 50, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 24 bits in length. Examples: 10.0.0.0/24 and 10.0.0.0/23. If the number of SSL-VPN connections is 100, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 23 bits in length. Examples: 10.0.0.0/23 and 10.0.0.0/22. If the number of SSL-VPN connections is 200, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 22 bits in length. Examples: 10.0.0.0/22 and 10.0.0.0/21. If the number of SSL-VPN connections is 500, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 21 bits in length. Examples: 10.0.0.0/21 and 10.0.0.0/20. If the number of SSL-VPN connections is 1,000, we recommend that you specify a client CIDR block with a subnet mask that is less than or equal to 20 bits in length. Examples: 10.0.0.0/20 and 10.0.0.0/19. 说明 The subnet mask of the client CIDR block must be 16 to 29 bits in length. Make sure that the client CIDR block does not overlap with the local CIDR block, the VPC CIDR block, or route CIDR blocks associated with the client. We recommend that you use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the virtual private cloud (VPC). This way, the VPC can access the public CIDR block. For more information, see VPC FAQs. After you create an SSL server, the system automatically adds routes that point to the client CIDR block to the VPC route table. Do not manually add routes that point to the client CIDR block. Otherwise, SSL-VPN connections cannot work as expected.	192.168.1.0/24
LocalSubnet	string	是	The local CIDR block. The CIDR block that your client needs to access by using the SSL-VPN connection. This value can be the CIDR block of a VPC, a vSwitch, a data center that is connected to a VPC by using an Express Connect circuit, or an Alibaba Cloud service such as Object Storage Service (OSS). The subnet mask of the specified local CIDR block must be 8 to 32 bits in length. You cannot specify the following CIDR blocks as the local CIDR blocks: 127.0.0.0~127.255.255.255 169.254.0.0~169.254.255.255 224.0.0.0~239.255.255.255 255.0.0.0~255.255.255.255	10.0.0.0/8
Proto	string	否	The protocol that is used by the SSL server. Valid values: TCP (default) UDP	UDP
Cipher	string	否	The encryption algorithm that is used by the SSL-VPN connection. If the client uses Tunnelblick or OpenVPN 2.4.0 or later, the SSL server dynamically negotiates with the client about the encryption algorithm and uses the most secure encryption algorithm that is supported by the SSL server and the client. The encryption algorithm that you specify for the SSL server does not take effect. If the client uses OpenVPN of a version that is earlier than 2.4.0, the SSL server and the client use the encryption algorithm that you specify for the SSL server. You can specify one of the following encryption algorithms for the SSL server: AES-128-CBC (default) AES-192-CBC AES-256-CBC none	AES-128-CBC
Port	integer	否	The port that is used by the SSL server. Valid values of port numbers: 1 to 65535. Default value: 1194. The following ports are not supported: 22, 2222, 22222, 9000, 9001, 9002, 7505, 80, 443, 53, 68, 123, 4510, 4560, 500, and 4500.	1194
Compress	boolean	否	Specifies whether to enable data compression. Valid values: true false (default)	false
EnableMultiFactorAuth	boolean	否	Specifies whether to enable two-factor authentication. To enable two-factor authentication, you need to specify `IDaaSInstanceId`, `IDaaSRegionId`, and `IDaaSApplicationId`. Valid values: true: enables this feature. false (default): disables this feature. 说明 If you use two-factor authentication for the first time, you must first complete authorization . When you create an SSL server in the UAE (Dubai) region, we recommend that you associate the SSL server with an IDaaS EIAM 2.0 instance in Singapore to reduce latency. IDaaS EIAM 1.0 instances are no longer for purchase. If your Alibaba Cloud account has IDaaS EIAM 1.0 instances, the IDaaS EIAM 1.0 instances can be associated after two-factor authentication is enabled. If your Alibaba Cloud account does not have IDaaS EIAM 1.0 instances, only IDaaS EIAM 2.0 instances can be associated after two-factor authentication is enabled.	false
IDaaSInstanceId	string	否	The ID of the IDaaS EIAM instance.	idaas-cn-hangzhou-p****
IDaaSRegionId	string	否	The region ID of the IDaaS EIAM instance.	cn-hangzhou
IDaaSApplicationId	string	否	The ID of the IDaaS application. If an IDaaS EIAM 2.0 instance is associated, you need to specify an IDaaS application ID. If an IDaaS EIAM 1.0 instance is associated, you do not need to specify an IDaaS application ID.	app_my6g4qmvnwxzj2f****

返回参数

名称	类型	描述	示例值
	object
SslVpnServerId	string	The ID of the SSL server.	vss-bp18q7hzj6largv4v****
RequestId	string	The request ID.	E98A9651-7098-40C7-8F85-C818D1EBBA85
Name	string	The SSL server name.	test

示例

正常返回示例

JSON格式

{
  "SslVpnServerId": "vss-bp18q7hzj6largv4v****",
  "RequestId": "E98A9651-7098-40C7-8F85-C818D1EBBA85",
  "Name": "test"
}

错误码

HTTP status code	错误码	错误信息	描述
400	Resource.QuotaFull	The quota of resource is full	资源配额已达上限。
400	InvalidName	The name is not valid	该名称格式不合法。
400	VpnGateway.Configuring	The specified service is configuring.	服务正在配置中，请您稍后再试。
400	VpnGateway.FinancialLocked	The specified service is financial locked.	该服务已欠费，请您先充值再操作。
400	SslVpnServer.AlreadyExist	The SSL VPN server of specified vpn gateway already exists.	指定VPN网关的SSL VPN服务器已存在。
400	VpnRouteEntry.Conflict	The specified route entry has conflict.	路由条目存在冲突。
400	IpConflict	Client IP pool conflict with local IP range.	客户端IP池与本地IP范围冲突。
400	IpConflict	Client IP pool conflict with other SSL VPN server in the same VPC.	客户端IP池与同一VPC中的其他SSL VPN服务器冲突。
400	SslVpnServer.AddRouteError	Add route error whose destination is client IP pool, please check vpc route entry and relevant quota.	添加指向客户端网段的路由失败，请查看VPC路由条目及相关配额。
400	ClientIpPool.NetmaskInvalid	The netmask length of client IP pool must be greater than or equal to 16 and less than or equal to 29.	客户端 IP 池的网络掩码长度必须大于等于 16 且小于等于 29。
400	ClientIpPool.SubnetInvalid	The specified client IP pool cannot be used.	当前客户端网段不可用。
400	MissingParameter.IDaaSInstanceId	The input parameter IDaaSInstanceId is mandatory when enable multi-factor authentication.	启动双因子认证时请输入IDaaSInstanceId参数。
400	OperationFailed.NoRamPermission	Vpn Service has no permission to operate your IDaaS instances.	Vpn服务没有权限操作您的IDaaS实例
400	OperationUnsupported.NotSupportMultiFactorAuth	Current version of the VPN does not support multi-factor authentication.	-
400	QuotaExceeded.VpnRouteEntry	The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit.	VPC路由表中指向VPN网关的路由条目已经达到配额限制。
400	SystemBusy	The system is busy. Please try again later.	当前系统繁忙，请稍后重试。
400	SslVpnServerPort.Illegal	The server port is not in the range of [1-65535].	SSL VPN 服务端端口号需要在[1-65535]之间。
400	EnableHaCheck.SslVpnServerClientCidrContainsVpcRouteDest	Ssl vpn client cidr contains vpc route prefix. The vpc route prefix is %s.	vpc路由表中存在路由的前缀%s被包含在ssl vpn 客户端 cidr 中。
400	VpnGateway.SslVpnDisabled	The VPN gateway has not enabled SSL VPN.	VPN网关没有开启SSL VPN功能。
400	IllegalParam.LocalSubnet	The specified "LocalSubnet" (%s) is invalid.	本端网段(%s)不合法。
400	IllegalParam.IDaaSApplicationId	The specified IDaaS application Id is not illegal, the application instance needs to be created based on the dedicated SSL VPN template.	指定的IDaaS应用实例ID不合法，应用实例需要基于专属SSL VPN的模板创建。
400	SslVpnIDaaS2.NotSupport	Current version of the VPN does not support IDaaS2.0.	当前VPN实例版本不支持使用IDaaS2.0。
400	MissingParam.IDaaSApplicationId	The input parameter IDaaSApplicationId is mandatory when enable multi-factor authentication.	启动双因子认证时请输入IDaaSApplicationId参数。
400	MissingParam.IDaaSRegionId	The input parameter IDaaSRegionId is mandatory when enable multi-factor authentication.	启动双因子认证时请输入IDaaSRegionId参数。
400	DryRunOperation	Request validation has been passed with DryRun flag set.	DryRun校验通过。
403	Forbbiden.SubUser	User not authorized to operate on the specified resource as your account is created by another user.	您没有权限操作该资源，请您申请操作权限后再试。
403	Forbidden	User not authorized to operate on the specified resource.	您没有权限操作指定资源，请申请权限后再操作。
404	InvalidRegionId.NotFound	The specified region is not found during access authentication.	接入认证时未找到指定区域。
404	InvalidVpnGatewayInstanceId.NotFound	The specified vpn gateway instance id does not exist.	指定的 VPN 网关不存在，请您检查 VPN 网关是否正确。
404	InvalidIDaaSInstanceId.NotFound	The specified IDaaS instance ID does not exist.	指定的IDaaS实例ID不存在
404	InvalidIDaaSApplicationId.NotFound	The specified IDaaS application Id does not exist.	指定的IDaaS应用实例ID不存在。

访问错误中心查看更多错误码。

变更历史

变更时间	变更内容概要	操作
2025-05-23	OpenAPI 错误码发生变更、OpenAPI 入参发生变更	查看变更详情
2024-05-10	OpenAPI 错误码发生变更、OpenAPI 入参发生变更	查看变更详情
2023-10-19	OpenAPI 描述信息更新、OpenAPI 去除了 deprecated 标记、OpenAPI 错误码发生变更	查看变更详情
2023-05-30	OpenAPI 错误码发生变更	查看变更详情