VPN
Retrieve Endpoint
Before configuring the endpoint for SDK use, please refer to the developer guide section on VPC Service domain names to familiarize yourself with endpoint-related concepts. Baidu AI Cloud currently supports multiple regions. For details, refer to the VPC section in the Region Selection Guide.
Note: The VPN API supports both HTTP and HTTPS invocation methods. To enhance data security, it is recommended to call via HTTPS.
Retrieve AK/SK
To use the subnets of Baidu AI Cloud, you must have a valid AK (Access Key ID) and SK (Secret Access Key) for signature authentication. AK/SK are system-generated strings that verify users and ensure secure access to services. You can obtain and manage your AK/SK using the following steps:
Create VPN client
The VpnClient functions as the interface for subnet services, providing developers with methods to interact with ACL services. To create a VpnClient, first set up a BCE client configuration instance (config) using endpoint, AK, and SK. Then use this config instance to configure the VpnClient. The specific configuration steps are as follows:
1from baidubce.auth.bce_credentials import BceCredentials
2from baidubce.bce_client_configuration import BceClientConfiguration
3from baidubce.services.vpn.vpn_client import VpnClient
4if __name__ == "__main__":
5 config = BceClientConfiguration(
6 credentials=BceCredentials(
7 access_key_id='', # User's AK
8 secret_access_key='' # User's SK
9 ),
10 endpoint='bcc.bj.baidubce.com' # Requested domain information
11 )
12 vpn_client = VpnClient(config)Create VPN gateway
Function declaration
1def create_vpn(self, vpc_id, vpn_name, billing,
2 vpn_type=None, max_connections=None,
3 client_token=None, description=None,
4 eip=None, config=None, subnetId=None,
5 tags=None, resourceGroupId=None, deleteProtect=False):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/tk2y913ko
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "vpnId": "vpn-ku4cxya6nisq"
4}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_create_vpn.py
Creating a VPN gateway is an asynchronous process. The completion of the create_vpn operation does not immediately indicate the successful creation of the VPN gateway. At this stage, the gateway status will be "building." Wait for up to 3 minutes until the VPN gateway status updates to "unconfigured" before starting its configuration.
List VPN gateways
Function declaration
1def list_vpns(self, vpc_id, eip=None, marker=None, max_Keys=None, config=None, vpn_type=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/zk2ydcivt
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "nextMarker": "vpn-xktdeMSf",
4 "marker": "vpn-IyWRtII7",
5 "maxKeys": 1,
6 "isTruncated": true,
7 "vpns": [
8 {
9 "status": "active",
10 "eip": "10.12.34.32",
11 "vpnId": "vpn-IyWRtII7",
12 "vpcId": "83edd0d2-8a68-4ce5-a396-9d2917d58a57",
13 "description": "",
14 "expiredTime": null,
15 "productType": "postpay",
16 "vpnConnNum": 0,
17 "bandwidthInMbps": 10,
18 "vpnConns": [],
19 "sslVpnServer": null,
20 "type": "IPSec",
21 "maxConnection": null,
22 "vpnName": "VPN_aoko_2",
23 "createTime": "2021-04-25 17:22:34"
24 }
25 ]
26} Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_list_vpn.py
Query VPN details
Function declaration
1def get_vpn(self, vpn_id, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Xk2ydminh
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "status": "active",
4 "eip": "",
5 "vpnId": "vpn-shkgan7et1vx",
6 "vpcId": "83edd0d2-8a68-4ce5-a396-9d2917d58a57",
7 "description": "",
8 "expiredTime": null,
9 "paymentTiming": "Postpaid",
10 "vpnConnNum": 0,
11 "bandwidthInMbps": 0,
12 "vpnConns": [],
13 "ssl_vpn_server": null,
14 "vpnName": "VPN_aoko_2",
15 "createTime": "2021-04-25 17:22:34",
16 "deleteProtect": true,
17 "tags": [
18 {
19 "tagKey": "hikwnf",
20 "tagValue": "nwklwmflk"
21 },
22 {
23 "tagKey": "whfooef",
24 "tagValue": "haiwnwejf"
25 }
26 ]
27}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_show_vpn.py
Bind EIP to VPN gateway
Only VPN gateways that are not bound to an EIP and are in the 'unconfigured' status can perform EIP binding operations
Function declaration
1def bind_eip(self, vpn_id, eip=None, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/uk2yh2wy2
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_bind_vpn_eip.py
Unbind EIP from VPN gateway
Only VPN gateways bound with EIP can perform this operation
Function declaration
1def unbind_eip(self, vpn_id, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/lk2yh59e5
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_unbind_vpn_eip.py
Modify VPN gateway
Currently, only the name and description of a VPN gateway can be modified; other parameters are not allowed to be modified
Function declaration
1def update_vpn(self, vpn_id, vpn_name=None, description=None, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/dk2ybo3p4
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_update_vpn.py
Release VPN gateway
For IPSEC-VPN gateways, the IPSEC tunnels under the VPN gateway must be deleted first. For SSL-VPN gateways, the SSL-VPN Service under the VPN gateway must be deleted first If an EIP has been bound to the VPN gateway, the binding between the VPN and EIP will be removed first, and the EIP will become available. Only VPN instances with postpay bill type and without shift charge tasks can be released
Function declaration
1def delete_vpn(self, vpn_id, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/bk2ybhrpv
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_delete_vpn.py
VPN gateway renewal
Function declaration
1def renew_vpn(self, vpn_id, billing, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/rk2yh7kqp
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_renew_vpn.py
Create IPSEC tunnel
Creating an IPSEC tunnel requires a considerable number of parameters. According to protocol specifications, the ISAKMP two-phase key negotiation parameters are divided into IKE encryption/authentication algorithms and IPSEC encryption/authentication algorithms.
The SDK only supports policy-based (traffic selector-based) IPSec tunnels.
IKE configuration definition
For the meaning of IKE configuration parameters, refer to IkeConfig
IKE configuration parameter definitions
| Parameter name | Types | Required or not | Description |
|---|---|---|---|
| ike_version | string | Yes | IKE Version, v1 or v2 |
| ike_mode | string | Yes | IKE Mode options: main (main mode); aggressive (aggressive mode). |
| ike_enc_alg | string | Yes | Phase 1 encryption algorithm: aes/aes192/aes256/3des |
| ike_auth_alg | string | No | Phase 1 certification algorithm: sha1/md5 |
| ike_pfs | string | Yes | DH Group, Diffie-Hellman algorithm strength. Options include group2/group5/group14/group24 |
| ike_lifeTime | string | No | IKE tunnel lifecycle, which must be a multiple of 3,600, with a maximum of 86,400 |
IPSEC configuration definition
For the meaning of ipsec configuration parameters, refer to IpsecConfig
IPSEC Configuration Parameter Definitions
| Parameter name | Types | Required or not | Description |
|---|---|---|---|
| ipsec_enc_alg | string | Yes | Phase 2 encryption algorithm, aes/aes192/aes256/3des |
| ipsec_auth_alg | string | Yes | Phase 2 certification algorithm, sha1/md5 |
| ipsec_pfs | string | No | Perfect forward secrecy (PFS): group2/group5/group14/group24 |
| ipsec_lifetime | string | No | Phase 2 lifecycle, which must be a multiple of 3,600, not less than ike_lifeTime |
Function declaration
1def create_vpn_conn(self, vpn_id,
2 secret_key,
3 local_subnets,
4 remote_ip,
5 remote_subnets,
6 vpn_conn_name,
7 ike_config,
8 ipsec_config,
9 description=None,
10 client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/sk2yngg0t
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "vpnConnId": "vpnconn-ku4cxya6nisq"
4}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_create_connection.py
List IPSECs
Function declaration
1def get_vpn_conn(self, vpn_id, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Bk2ynne1n
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "vpnConns": [
4 {
5 "vpn_id": "vpn-a0314a79a558",
6 "vpn_conn_id": "vpnconn-771763a0da2f",
7 "secretKey": "ddd22@www",
8 "local_ip": null,
9 "localSubnets": ["192.168.100.0/24"],
10 "remoteIp": "10.107.245.188",
11 "remoteSubnets": ["192.168.100.0/24"],
12 "description": "111",
13 "status": "active",
14 "created_time": "2024-12-26T18:58:53+08:00",
15 "health_status": "reachable"
16 "vpnConnName": "vpncon",
17 "ikeConfig":
18 {
19 "ikeVersion": "v1",
20 "ikeMode": "main",
21 "ikeEncAlg": "aes",
22 "ikeAuthAlg": "sha1",
23 "ikePfs": "group2",
24 "ikeLifeTime": "28800s"
25 },
26 "ipsecConfig":
27 {
28 "ipsecEncAlg": "aes",
29 "ipsecAuthAlg": "sha1",
30 "ipsecPfs": "group2",
31 "ipsecLifetime": "28800s"
32 }
33 }
34 ]
35}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_list_connection.py
Modify IPSEC tunnel
Modifying IPSEC tunnel parameters involves defining both IKE and IPSEC phase parameters along with traffic selectors, similar to the creation process. The SDK does not allow modification of individual parameters—users must provide all parameters. Details are as follows.
Function declaration
1def update_vpn_conn(self, vpn_conn_id,
2 vpn_id,
3 secret_key,
4 local_subnets,
5 remote_ip,
6 remote_subnets,
7 vpn_conn_name,
8 ike_config,
9 ipsec_config,
10 description=None,
11 client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/rk2ynjopp
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_update_connection.py
Delete IPSEC tunnel
Function declaration
1def delete_vpn_conn(self, vpn_conn_id, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/dk2ynpyn7
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_delete_connection.py
Create SSL-VPN service
Before using this API, ensure an SSL-VPN gateway has already been successfully created under the VPC. Note that only one SSL-VPN service can be created per SSL-VPN gateway.
Function declaration
1def create_vpn_sslservice(self, vpn_id=None,
2 sslservice_name=None,
3 local_routes=None,
4 address_pool=None,
5 interface_type=None,
6 client_dns=None,
7 client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Jl385fe3r
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "sslVpnServerId": "sslvpn-5b2hq4nm40tt"
4}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_create_sslservice.py
List SSLVPN service
Since only one SSL VPN service is available under the VPN gateway, using vpn_id to list SSL-VPN services will yield at most one SSL-VPN service
Function declaration
1def get_vpn_sslservice(self, vpn_id, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/vl3bat97z
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "vpnId": "vpn-shyt1vzgqc3z",
4 "sslVpnServerId": "sslvpn-5b2hq4nm40tt",
5 "sslVpnServerName": "hzb_1_1",
6 "interfaceType": "tap",
7 "status": "active",
8 "localSubnets": ["192.168.0.0/24"],
9 "remoteSubnet": "172.168.0.0/16",
10 "maxConnection": 10,
11 "clientDns":""
12 } Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_list_sslservice.py
Modify SSL-VPN service
Modifying the SSL-VPN service will disconnect any clients currently connected to the VPN gateway. Windows and Mac clients will detect the Baidu AI Cloud SSL-VPN disconnection within approximately three minutes and automatically reconnect. However, Linux clients will not reconnect automatically; relevant engineers must manually reboot or reconnect the Linux client. As a result, this operation should be done with caution.
The
interface_typeof SSLVPN cannot be changed because it also needs to be declared in the client's configuration file. If this parameter is altered, all client configuration files must be updated accordingly. To adjust other settings such as client routing or the client address pool, disconnect and reconnect the client. As a result, modifying theinterface_typeis not allowed.
Function declaration
1def update_vpn_sslservice(self, vpn_id=None,
2 sslservice_id=None,
3 sslservice_name=None,
4 local_routes=None,
5 address_pool=None,
6 client_dns=None,
7 client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Gl39u2j5r
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_update_sslservice.py
Delete SSL VPN service
Function declaration
1def delete_vpn_sslservice(self, vpn_id, sslservice_id, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/ll39xiyyp
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_delete_sslservice.py
Create SSL VPN users in batches
Function declaration
1def create_vpn_sslusers(self, vpn_id, sslusers, client_token=None, config=None)Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Kl3a3l8ga
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "sslVpnUserIds":["sslvpn-5b2hq4nm40tt"]
4}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_create_ssluser.py
List SSL-VPN users
Function declaration
1def get_vpn_ssl_user(self, vpn_id, client_token=None, config=None, marker=None, max_keys=None, user_name=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Sl3b9pzmg
Response value
Operation succeeded:
1{
2 "metadata": {...}, # Public description information
3 "marker": "vpn-ssl-user-xynkefqf3n5x",
4 "maxKeys": 1,
5 "isTruncated": false,
6 "sslVpnUsers": [
7 {
8 "userId": "vpn-ssl-user-xynkefqf3n5x",
9 "userName": "user",
10 "description": "desc"
11 }
12 ]
13} Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_list_ssluser.py
Modify SSL-VPN user
Function declaration
1def update_vpn_ssl_user(self, vpn_id, ssluser_id, password=None, description=None, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/el3b86jjt
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_update_ssluser.py
Delete SSL-VPN user
After deleting an SSL-VPN user, if the user is actively connected to SSLVPN, the connection will not be terminated immediately. The user will receive authentication failure information upon their next connection attempt.
Function declaration
1def delete_vpn_ssl_user(self, vpn_id, ssluser_id, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Wl3b99ax6
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_delete_ssluser.py
Update VPN release protection switch
Function declaration
1def update_vpn_delete_protect(self, vpn_id, delete_protect=False, client_token=None, config=None):Parameter meaning
Refer to the OpenAPI documentation:https://cloud.baidu.com/doc/VPC/s/Dlzjsmzon
Response value
Operation succeeded:
1{
2 "metadata": {...} # Public description information
3}Operation failed:
Throw an exception. For the exception list, refer to https://cloud.baidu.com/doc/VPC/s/sjwvyuhe7
Code example
For specific code examples, refer to example_update_vpn_delete_protect.py