Create a gateway

STACKIT VPN Service provides a managed site-to-site VPN solution that uses the IPSec IKEv2 protocol to establish secure, encrypted tunnels between your STACKIT Network Area (SNA) and external networks. To ensure high availability, the each VPN gateway utilizes an active-active setup running on two virtual instances. This guide demonstrates how to provision a STACKIT VPN gateway.

If you proceed with the action described here, charges may apply or the amount charged may change.

Please check carefully the amount of resulting one-off and/or ongoing costs and do not proceed unless you agree and you are authorized to do so.

Prerequisites

Before you begin, ensure you have the following:

• A STACKIT Project ID.
• The region where you want to host your gateway (for example, eu01 for Germany or eu02 for Austria)

Choose a routing architecture

When you initiate the gateway provisioning, you must define the routingType. This determines the architectural basis for how traffic is steered through the tunnel.

The following table describes the supported routing types:

Routing type	Description	Requirements
POLICY_BASED	Traffic is steered by IPsec Security Associations (SAs).	You must provide localSubnets and remoteSubnets.
ROUTE_BASED	Traffic is directed through a Virtual Tunnel Interface (VTI) using static routes.	You must provide staticRoutes.
BGP_ROUTE_BASED	Traffic is directed through a VTI using dynamic Border Gateway Protocol (BGP).	You must provide bgp configuration and peering addresses.

API

List available service plans

You must specify a planId when you create a gateway. To identify the correct plan for your requirements, retrieve the list of available service plans for your region.

1. Send a GET request to the following endpoint, replacing {region} with your target region:

   GET https://vpn.api.eu01.stackit.cloud/v1beta1/regions/{region}/plans

2. Locate the planId (for example, p500) in the response.

Provision the gateway

To create your gateway, send a POST request to the gateways endpoint. You must configure two availability zones to support the high-availability (active-active) configuration.

1. Prepare a JSON request body containing your gateway configuration.

2. Send the request to the following endpoint:

   POST /v1beta1/projects/{projectId}/regions/{region}/gateways

Example request

This example demonstrates the creation of a gateway using the BGP_ROUTE_BASED routing type.

{
  "displayName": "production-gateway",
  "planId": "p500",
  "routingType": "BGP_ROUTE_BASED",
  "availabilityZones": {
    "tunnel1": "eu01-1",
    "tunnel2": "eu01-2"
  },
  "bgp": {
    "localAsn": 64512,
    "overrideAdvertisedRoutes": [
      "10.0.0.0/16"
    ]
  }
}

Portal

Visit the STACKIT Portal, select your desired project and follow these steps:

1. In the sidebar under Networking, click on VPN.
2. Click the Create VPN button.
3. Fill in the required fields with the informaton you prepared earlier.
4. Click the Order fee-based button to create the VPN Gateway.

Done! Your STACKIT VPN Gateway is being created and will be ready to use shortly. You can see the lifecycle state of the VPN Gateway in the VPN overview.

CLI

CLI functions not yet available.

Terraform

Terraform functions not yet available.

Monitor lifecycle states

After you send the creation request, the gateway provisioning starts. You can track the progress by checking the status field of the resource.

The following sections describe the possible lifecycle states:

• PENDING

  The gateway is currently being provisioned. This process involves the allocation of virtual infrastructure and public IP addresses.

• READY

  The gateway is operational. You can now proceed to establish connections.

• ERROR

  An operational failure occurred during provisioning. Check your project quotas or configuration parameters and try again.

• DELETING

  The resource is being removed and its associated infrastructure is being deallocated.

Next steps

Once the gateway status is READY, your virtual infrastructure is active. Gateway creation successfully initiated. You can now proceed to configure your VPN connections.

If you encounter issues during the setup, please contact the STACKIT Support team.