tencent cloud

VPN Connections

문서VPN ConnectionsProduct IntroductionUse Limits

Use Limits

다운로드
포커스 모드
폰트 크기
마지막 업데이트 시간: 2026-05-27 17:52:19

VPN Connections

Note the following when using a VPN connection:
After configuring VPN parameters, you need to add routing policies for your VPN gateway in the route table associated with the subnet, so that network requests from CVMs in the subnet to access the peer IP range can reach the customer gateway through the VPN tunnel.
The stability of the VPN connection depends on the ISP's public network.
The VPN connection only supports the PSK authentication method rather than CA authentication.
SPD or route IP ranges of the VPN connection cannot be specified as the following IP ranges:
Multicast addresses that are all 0, all 255, or start with 224.
Loopback addresses: 127.x.x.x/8.
IPv6 IP ranges.
When a CCN VPN is used, if the 0.0.0.0 IP range route is propagated, the customer gateway must enable active negotiation and the cloud side must enable passive negotiation. Otherwise, the tunnel may fail. If the VPN gateway edition is 4.0, ensure that you enable the route overlapping feature on the CCN side when the VPN gateway is associated with CCN.

VPN Gateway

VPN Connections is a region-level service, but you can also connect to your VPN gateway in any region over the internet.
You cannot specify a public IP or the ISP of the public IP for the VPN gateway. IPv6 and anycast IP addresses are also not supported.
The inbound and outbound bandwidth allocated by Tencent Cloud is equal to the bandwidth specification purchased by the user.
Currently, only VPN 4.0 gateways with specifications over 200 Mbps (including) support the dynamic BGP feature. If you need to use BGP function, submit a ticket for consultation.
Routing priority: Static routing > dynamic BGP routing.
Private VPN: If you need to use a private VPN, submit a ticket for consultation.
Note: The 4.0 edition VPC VPN gateway does not currently support forming ECMP with lower-edition VPN gateways. For details about VPC route table ECMP, see ECMP.

Customer Gateway

You must specify the IP address of the customer gateway. The public IP of the customer gateway cannot be the following IP addresses:
Multicast addresses that are all 0, all 255, or start with 224.
Loopback addresses: 127.x.x.x/8.
IP Addresses with host bits being all 0 or all 1, for example:
Class-A IP addresses that start with 1-126, such as 1-126.0.0.0 and 1-126.255.255.255.
Class-B IP addresses that start with 128 191, such as 128-191.x.0.0 and 128-191.x.255.255.
Class-C IP addresses that start with 192-223, such as 192-223.x.x.0 and 192-223.x.x.255.
Internal service addresses: 169.254.x.x/16.
IPv6 addresses.
If you use an IPsec VPN connection to interconnect resources in two VPCs, the VPCs are each other's customer gateway, and their IP ranges cannot overlap.

SSL VPN Server

The server supports only UDP but not TCP.
To modify information such as port, authentication method, and encryption algorithm, you need to download the client configuration again.
The client and local IP ranges cannot overlap.
SSO authentication
Identity verification relies on an EIAM application and cannot be directly interconnected with other identity providers (IdPs) for verification. You can use EIAM to interconnect with the verification source of your enterprise. You can also select a verification method supported by EIAM, such as SMS, WeCom, and AD. Currently, identity verification is in beta test. To try it out, submit a ticket for application.
VPN 4.0: Identity verification relies on CAM identity role configuration and supports mainstream third-party IdPs based on SAML 2.0.
You can use CAM if identity verification is enabled.

SSL VPN Client

You need to prepare the client on your own. An SSL VPN connection supports the open-source OpenVPN client or other compatible commercial clients.
Each client can use only one SSL client configuration certificate. You cannot use the same certificate for multiple clients.
Supported OpenVPN versions: 2.4.8–3.x.
Identity verification is supported only by OpenVPN 3.x or other compatible clients.
When configuring the SSL server on Windows, you must configure the encryption and authentication algorithms if your OpenVPN client is version 3.4.0 or later.
In a single operation, up to 100 SSL clients can be created in bulk.

Resource Limits

Limits on IPsec VPN

Resource
Default Limit
Upgradable or Not
VPC IPsec VPN gateways per region per account
10
Supported. Submit a ticket to apply.
CCN IPsec VPN gateways per region per account
10
Supported. Submit a ticket to apply.
Customer gateways in one region
20
Supported. Submit a ticket to apply.
VPN tunnels supported by one customer gateway
10
Note:
The number of VPN tunnels supported by a customer gateway is the quota for the account.
Only one VPN tunnel can be established between a pair of customer gateway and VPN gateway.
Supported. Submit a ticket to apply.
VPN tunnels that can be created on one VPN gateway
20
Not supported
Maximum bandwidth supported by a VPN gateway instance
3000 Mbps
Not supported
Total maximum packets per second (pps) supported for both directions by a VPN gateway instance
3G gateway: 320,000 pps
1G gateway: 200,000 pps
The pps limit varies depending on the gateway specification. If you need to increase the limit, upgrade the gateway specification.
SPDs in a VPN tunnel
10
Not supported
Total number of SPDs under the same VPN gateway
100
Not supported
Peer IP ranges supported by a SPD
10
Not supported
Routes supported by each VPN gateway route table
1000
Not supported
Number of routes can be added at one time on the console
10
Not supported
Dynamic BGP-learned routing entries supported by each VPN gateway
500
Not supported
Routing entries sent via the dynamic BGP for each VPN tunnel
2000
Not supported
BGP ASN
Default: 64551, value range: 1 - 4294967295
The value range is not adjustable

Limits on SSL VPN

Resource
Default Limit
Upgradable or Not
VPC SSL VPN Gateways per Region per Account
10
Supported. Submit a ticket to apply.
CCN SSL VPN Gateways per Region per Account
10
Supported. Submit a ticket to apply.
Maximum bandwidth supported by a VPN gateway instance
1000 Mbps
Not supported
Total maximum packets per second (pps) supported for both directions by a VPN gateway instance
1G gateway: 200,000 pps
The pps limit varies depending on the gateway specification. If you need to increase the limit, upgrade the gateway specification.
SSL VPN servers that can be created for an SSL VPN gateway
1
Not supported
Local IP ranges that can be added on an SSL VPN server
500 (VPN gateway 4.0 edition)
5 (VPN gateway under 4.0 edition)
Not supported
Client IP ranges that can be added on an SSL VPN server
1
Note:
To ensure that all your clients can be assigned IP addresses, we recommend that the number of IP addresses in the client subnet you specify exceeds the number of SSL VPN clients.

Not supported
Validity period of the SSL VPN client certificate
3 years
Not adjustable
SSL client connection limit
An SSL VPN gateway with a bandwidth of 5–100 Mbps supports a maximum of 100 SSL client connections.
An SSL VPN gateway with a bandwidth of 200/500 Mbps supports a maximum of 500 SSL client connections.
An SSL VPN gateway with a bandwidth of 1000 Mbps supports a maximum of 1000 SSL client connections.
Note:
The number of clients an SSL VPN gateway can connect to also depends on the number of SSL client connections you configured during creation. For example, if you set the connection limit to 5 during creation, the gateway can connect to a maximum of 5 clients.
You can modify the number of SSL client connections within the bandwidth quota. In the example above, if you need 10 SSL connections, you can make the adjustment in the gateway details, but the maximum cannot exceed 100.
The limit is based on the current SSL VPN gateway specification. If you need to increase the number of SSL client connections, upgrade the gateway bandwidth specification.
이전 주제: Application Scenarios다음 주제: Related products

도움말 및 지원

문제 해결에 도움이 되었나요?

피드백