# Create VPN Gateway
A VPN Gateway provides a secure way to access your data center, protecting your network and sensitive information.
To create a VPN Gateway, follow these steps:
1\. In the **DCD**, go to **Menu** > **Network Services** > **VPN Gateway**.
2\. Click **Create VPN Gateway** from the **VPN Gateways** page.
3\. Define the following to configure your VPN Gateway:
* [Properties](#define-properties)
* [Tier](#define-tier)
* [Protocol](#define-protocol)
* [LAN Connections](#define-lan-connections)
4\. Click **Save** to create the VPN gateway.
{% hint style="success" %}
**Result:** Your VPN gateway's **STATE** is set to **PROVISIONING** during creation. When provisioning is finished, it becomes **AVAILABLE**. You can [create IPSec Tunnels or WireGuard Peers](https://docs.ionos.com/sections-test/guides/network-services/vpn-gateway/dcd-how-tos/create-peer-tunnel) when the VPN Gateway is still in **PROVISIONING** or after its **STATE** changes to **AVAILABLE**.
{% endhint %}
## Define Properties
To define VPN Gateway properties, specify the following:
1\. **Name:** Enter a name for the VPN Gateway.
2\. **Description:** *(Optional)*. You can add additional information about the VPN Gateway.
3\. **Location:** Select a location of your preference from the drop-down list.
4\. **IP Address:** Select the **IP Address** from the drop-down list.
{% hint style="info" %}
**Note:** Ensure that:
* You have reserved IP addresses for the respective location using [IP Management](https://docs.ionos.com/sections-test/guides/network-services/vdc-networking/ip-address/ipv4/how-tos/reserve-ipv4).
* The IP Address and the chosen data center are in the same location.
{% endhint %}
## Define Tier
The number of LANs and tunnels or peers differ for each tier. You can couple a tier with high availability to configure an active-passive mode for an uninterrupted connection during a failover.
When you enable **High Availability** for the chosen tier, the virtual machines operate in an active-passive mode to minimize the downtime during a failover.
1\. Based on your needs, you can choose a tier from the following:
| **Tier** | **Resources** | **Description** |
| --------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| — Standard VPN
— Standard VPN + High Availability
| A maximum of five LANs and 10 IPSec Tunnels or WireGuard Peers. | You can upgrade the tier to **Enhanced VPN** or **Premium VPN** with or without high availability. |
| — Enhanced VPN
— Enhanced VPN + High Availability
| A maximum of 10 LANs and 20 IPSec Tunnels or WireGuard Peers. | You can upgrade the tier to **Premium VPN** with or without high availability. |
| — Premium VPN
— Premium VPN + High Availability
| A maximum of 15 LANs and 30 IPSec Tunnels or WireGuard Peers. | It is highly recommended for mission-critical or production workloads. |
{% hint style="info" %}
**Note:**
* You can upgrade the tiers as described, but downgrading is not allowed.
* The chosen tier in addition to the selection of a HA determines the cost of the VPN Gateway. For more information, see the [FAQ](https://docs.ionos.com/sections-test/guides/network-services/faqs#how-much-does-a-vpn-gateway-cost).
{% endhint %}
2\. **High Availability:** Select the checkbox to ensure high availability and redundancy for the VPN connections so that the downtime is minimal in case of failures. Redundant VPN tunnels automatically take over during failures.
## Define Protocol
You can create VPN Gateways using either the **IPSec** or **WireGuard®** protocols.
{% hint style="info" %}
**Prerequisites:**
* IPSec requires Tunnels before they can be used.
* WireGuard requires Peers.
{% endhint %}
Each protocol offers different features and requires distinct configuration steps:
{% tabs %}
{% tab title="IPSec" %}
For **IPSec**, the **Version** is set to **IKEv2**, by default.
{% endtab %}
{% tab title="WireGuard®" %}
Enter the following details:
* **Private Key:** Enter the Private Key. For more information about generating a private key, see the [FAQ](https://docs.ionos.com/sections-test/guides/network-services/faqs#wireguard-private-keys).
* **Interface IPv4 IP:** Mandatory if IPv6 is not provided.
* **Interface IPv6 IP:** Mandatory if IPv4 is not provided.
* **Listen Port (optional):** Specifies the UDP port on which a WireGuard interface will listen for incoming encrypted VPN packets.
{% endtab %}
{% endtabs %}
## Define LAN Connections
You can specify the LANs you want to connect to the data center in the VDC. You can add new ones, delete, or edit existing ones.
{% hint style="info" %}
**Note:**
* Ensure that the selected Private IP address is not already in use within the VDC.
* We recommend using an IP address from the LAN allocated CIDR range from .2 to .9.
* VPN Gateways do not support connecting to LANs directly managed by Managed Kubernetes. However, you can attach additional LANs to node pools and connect these LANs to a VPN Gateway.
{% endhint %}
1\. **Datacenter:** Select a data center from the drop-down list to associate it with the VPN Gateway. The available data centers in the drop-down list vary according to the chosen **Location**.
2\. **Connections:** Select **Add LAN Connection** to choose a LAN for the data center. You can select an IPv4 CIDR (and an IPv6 CIDR, which is optional) for your LAN connection.
The DCD offers a visual representation of the LANs that are connected to the VPN Gateway.
## Schedule VPN Gateway maintenance
Your chosen start time (UTC) plus four hours is the maintenance time.
{% hint style="info" %}
**Note:**
* We recommend choosing the day and time appropriately because the maintenance occurs in a **4-hour-long window**.
* During the scheduled maintenance, you can only [update](https://docs.ionos.com/sections-test/guides/network-services/vpn-gateway/dcd-how-tos/update-vpn-gateway) the VPN gateway's name and description. You must wait until the maintenance process is finished before modifying the other details.
{% endhint %}
1\. **DAY:** Select a day from the drop-down list to set a day for maintenance.
2\. **TIME:** Enter a time using the pre-defined format (hh:mm:ss) to schedule the maintenance task. You can also click the  icon to set a time.
