tencent cloud

Feedback

Use Limits

Last updated: 2022-09-21 19:47:41

    VPN Connection

    Note the following when using a VPN connection:

    • After configuring VPN parameters, you need to add routing policies for your VPN gateway in the route table associated with the subnet, so that network requests from CVM instances in the subnet to access the peer IP range can reach the customer gateway through the VPN tunnel.
    • If the gateway is on v1.0, after configuring the route table, you need to ping an IP address in the peer IP range from a CVM instance in the VPC to activate the VPN tunnel.
    • The stability of the VPN connection depends on the ISP's public network.
    • The VPN connection only supports the PSK authentication method rather than CA authentication.
    • SPD or route IP ranges of the VPN connection cannot be specified as the following IP ranges:
      • Multicast addresses that are all 0, all 255, or start with 224.
      • Loopback addresses: 127.x.x.x/8.
      • IPv6 IP ranges.

    VPN Gateway

    • VPN Connections is a region-level service, but you can also connect to your VPN gateway in any region over the internet.
    • You cannot specify a public IP or the ISP of the public IP for the VPN gateway. IPv6 and anycast IP addresses are also not supported.
    • To create a VPN gateway with a higher bandwidth cap, submit a ticket for application.

    Customer Gateway

    • You must specify the IP address of the customer gateway. The public IP of the customer gateway cannot be the following IP addresses:
      • Multicast addresses that are all 0, all 255, or start with 224.
      • Loopback addresses: 127.x.x.x/8.
      • IP Addresses with host bits being all 0 or all 1, for example:
        • Class A IP addresses that start with 1–126, such as 1–126.0.0.0 and 1–126.255.255.255.
        • Class B IP addresses that start with 128–191, such as 128–191.x.0.0 and 128–191.x.255.255.
        • Class C IP addresses that start with 192–223, such as 192–223.x.x.0 and 192–223.x.x.255.
      • Internal service addresses: 169.254.x.x/16.
      • IPv6 addresses.
    • If you use an IPsec VPN connection to interconnect resources in two VPCs, the VPCs are each other's customer gateway, and their IP ranges cannot overlap.

    SSL VPN Server

    • The server supports only UDP but not TCP.
    • To modify information such as port, authentication method, and encryption algorithm, you need to download the client configuration again.
    • The client and local IP ranges cannot overlap.
    • Identity verification relies on an EIAM application and cannot be directly interconnected with other identity providers (IdPs) for verification. You can use EIAM to interconnect with the verification source of your enterprise. You can also select a verification method supported by EIAM, such as SMS, WeCom, and AD. Currently, identity verification is in beta test. To try it out, submit a ticket for application.
    • You can use CAM if identity verification is enabled.

    SSL VPN Client

    • You need to prepare the client on your own. An SSL VPN connection supports the open-source OpenVPN client or other compatible commercial clients.
    • Supported OpenVPN versions: 2.4.8–3.x.
    • Identity verification is supported only by OpenVPN 3.x or other compatible clients.

    Resource Limits

    Limits on IPsec VPN

    Resource Limit
    VPC IPsec VPN gateways per region per account 10
    CCN IPsec VPN gateways per region per account 10
    Customer gateways in one region 20
    VPN tunnels supported by one customer gateway 20
    Note
    • The number of VPN tunnels supported by a customer gateway is the quota for the account.
    • Only one VPN tunnel can be established between a pair of customer gateway and VPN gateway.
    VPN tunnels that can be created on one VPN gateway 20
    SPDs in a VPN tunnel 10
    Peer IP ranges supported by a SPD 50
    Routes supported by each VPN gateway route table 1,000
    Number of routes can be added at one time on the console 10

    Limits on SSL VPN

    Resource Limit
    VPC SSL VPN Gateways per Region per Account 10
    SSL VPN servers that can be created for an SSL VPN gateway 1
    Local IP ranges that can be added on an SSL VPN server 100
    Client IP ranges that can be added on an SSL VPN server 1
    Note

    To ensure that all your clients can be assigned an IP address, we recommend you specify a client IP range containing IP addresses more than the SSL VPN connections.

    Validity period of the SSL VPN client certificate In 3
    SSL VPN connections
    • A [5,100] Mbps SSL VPN gateway can sustain up to 100 SSL VPN connections.
    • A 200/500 Mbps SSL VPN gateway can sustain up to 500 SSL VPN connections.
    • A 1,000 Mbps SSL VPN gateway can sustain up to 1,000 SSL VPN connections.
    Note
    • The maximum number of SSL VPN connections is the number of connections to the client. Once it is configured, it cannot be modified. Therefore, plan an appropriate value before configuration.
    • To increase the bandwidth cap to 200, 500, or 1,000 Mbps, submit a ticket for application.
    Ports not supported by the SSL VPN server The protocol port cannot be 123, 53, 22, 36000, 54000, 50051, 68, 500, or 4500.
    Note

    To increase the quota, submit a ticket for application.

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support