diff --git a/.changelog/3373.txt b/.changelog/3373.txt
new file mode 100644
index 0000000000..65e19882b3
--- /dev/null
+++ b/.changelog/3373.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_vpn_connection: update `security_group_policy` code logic
+```
\ No newline at end of file
diff --git a/tencentcloud/services/vpc/service_tencentcloud_vpc.go b/tencentcloud/services/vpc/service_tencentcloud_vpc.go
index 0b9d91bdb7..2315dc9788 100644
--- a/tencentcloud/services/vpc/service_tencentcloud_vpc.go
+++ b/tencentcloud/services/vpc/service_tencentcloud_vpc.go
@@ -4256,31 +4256,44 @@ func (me *VpcService) DescribeVpngwById(ctx context.Context, vpngwId string) (ha
 	var (
 		logId    = tccommon.GetLogId(ctx)
 		request  = vpc.NewDescribeVpnGatewaysRequest()
-		response *vpc.DescribeVpnGatewaysResponse
+		response = vpc.NewDescribeVpnGatewaysResponse()
 	)
+
+	var specArgs connectivity.IacExtInfo
+	specArgs.InstanceId = vpngwId
+
 	request.VpnGatewayIds = []*string{&vpngwId}
 	err = resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
-		var specArgs connectivity.IacExtInfo
-		specArgs.InstanceId = vpngwId
-		response, err = me.client.UseVpcClient(specArgs).DescribeVpnGateways(request)
+		result, err := me.client.UseVpcClient(specArgs).DescribeVpnGateways(request)
 		if err != nil {
 			ee, ok := err.(*sdkErrors.TencentCloudSDKError)
 			if !ok {
 				return tccommon.RetryError(err)
 			}
+
 			if ee.Code == VPCNotFound {
 				return nil
 			} else {
 				return tccommon.RetryError(err)
 			}
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
 		}
+
+		if result == nil || result.Response == nil {
+			return resource.NonRetryableError(fmt.Errorf("Describ vpn gateways failed, Response is nil."))
+		}
+
+		response = result
 		return nil
 	})
+
 	if err != nil {
 		log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%v]", logId, request.GetAction(), request.ToJsonString(), err)
 		return
 	}
-	if response == nil || response.Response == nil || len(response.Response.VpnGatewaySet) < 1 {
+
+	if len(response.Response.VpnGatewaySet) < 1 {
 		has = false
 		return
 	}
diff --git a/tencentcloud/services/vpn/resource_tc_vpn_connection.go b/tencentcloud/services/vpn/resource_tc_vpn_connection.go
index 4917cf3512..f42e89278f 100644
--- a/tencentcloud/services/vpn/resource_tc_vpn_connection.go
+++ b/tencentcloud/services/vpn/resource_tc_vpn_connection.go
@@ -378,6 +378,7 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 	if err != nil {
 		return err
 	}
+
 	if !has {
 		return fmt.Errorf("[CRITAL] vpn_gateway_id %s doesn't exist", d.Get("vpn_gateway_id").(string))
 	}
@@ -396,6 +397,7 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 		}
 		request.VpcId = helper.String("")
 	}
+
 	request.VpnGatewayId = helper.String(d.Get("vpn_gateway_id").(string))
 	request.CustomerGatewayId = helper.String(d.Get("customer_gateway_id").(string))
 	request.PreShareKey = helper.String(d.Get("pre_share_key").(string))
@@ -403,9 +405,11 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 		dpdEnable := v.(int)
 		request.DpdEnable = helper.IntInt64(dpdEnable)
 	}
+
 	if v, ok := d.GetOk("dpd_action"); ok {
 		request.DpdAction = helper.String(v.(string))
 	}
+
 	if v, ok := d.GetOk("dpd_timeout"); ok {
 		request.DpdTimeout = helper.String(strconv.Itoa(v.(int)))
 	}
@@ -418,22 +422,26 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 		request.NegotiationType = helper.String(v.(string))
 	}
 
-	//set up  SecurityPolicyDatabases
+	//set up SecurityPolicyDatabases
 	if v, ok := d.GetOk("security_group_policy"); ok {
-		sgps := v.(*schema.Set).List()
-		request.SecurityPolicyDatabases = make([]*vpc.SecurityPolicyDatabase, 0, len(sgps))
-		for _, v := range sgps {
-			m := v.(map[string]interface{})
-			var sgp vpc.SecurityPolicyDatabase
-			local := m["local_cidr_block"].(string)
-			sgp.LocalCidrBlock = &local
-			// list
-			remoteCidrBlocks := m["remote_cidr_block"].(*schema.Set).List()
-			for _, vv := range remoteCidrBlocks {
-				remoteCidrBlock := vv.(string)
-				sgp.RemoteCidrBlock = append(sgp.RemoteCidrBlock, &remoteCidrBlock)
+		for _, item := range v.(*schema.Set).List() {
+			if dMap, ok := item.(map[string]interface{}); ok && dMap != nil {
+				var sgp vpc.SecurityPolicyDatabase
+				if v, ok := dMap["local_cidr_block"].(string); ok && v != "" {
+					sgp.LocalCidrBlock = &v
+				}
+
+				if v, ok := dMap["remote_cidr_block"].(*schema.Set); ok {
+					remoteCidrBlocks := v.List()
+					for _, rcb := range remoteCidrBlocks {
+						if v, ok := rcb.(string); ok && v != "" {
+							sgp.RemoteCidrBlock = append(sgp.RemoteCidrBlock, &v)
+						}
+					}
+				}
+
+				request.SecurityPolicyDatabases = append(request.SecurityPolicyDatabases, &sgp)
 			}
-			request.SecurityPolicyDatabases = append(request.SecurityPolicyDatabases, &sgp)
 		}
 	}
 
@@ -457,6 +465,7 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 			return fmt.Errorf("ike_local_fqdn_name need to be set when ike_local_identity is `FQDN`")
 		}
 	}
+
 	if *ikeOptionsSpecification.LocalIdentity == svcvpc.VPN_IKE_IDENTITY_ADDRESS {
 		if v, ok := d.GetOk("ike_remote_address"); ok {
 			ikeOptionsSpecification.RemoteAddress = helper.String(v.(string))
@@ -493,9 +502,11 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 	if v, ok := d.GetOk("enable_health_check"); ok {
 		request.EnableHealthCheck = helper.Bool(v.(bool))
 	}
+
 	if v, ok := d.GetOk("health_check_local_ip"); ok {
 		request.HealthCheckLocalIp = helper.String(v.(string))
 	}
+
 	if v, ok := d.GetOk("health_check_remote_ip"); ok {
 		request.HealthCheckRemoteIp = helper.String(v.(string))
 	}
@@ -564,20 +575,27 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 	err = resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
 		result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseVpcClient().CreateVpnConnection(request)
 		if e != nil {
-			log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n",
-				logId, request.GetAction(), request.ToJsonString(), e.Error())
+			log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", logId, request.GetAction(), request.ToJsonString(), e.Error())
 			return tccommon.RetryError(e)
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
 		}
+
+		if result == nil || result.Response == nil {
+			return resource.NonRetryableError(fmt.Errorf("Create VPN connection failed, Response is nil."))
+		}
+
 		response = result
 		return nil
 	})
+
 	if err != nil {
 		log.Printf("[CRITAL]%s create VPN connection failed, reason:%s\n", logId, err.Error())
 		return err
 	}
 
 	if response.Response.VpnConnection == nil {
-		return fmt.Errorf("VPN connection id is nil")
+		return fmt.Errorf("VpnConnection is nil.")
 	}
 
 	vpnConnectionId := ""
@@ -589,28 +607,31 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 		if v, ok := d.GetOk("vpn_gateway_id"); ok {
 			params["vpn-gateway-id"] = v.(string)
 		}
+
 		if v, ok := d.GetOk("vpc_id"); ok && *gateway.Type != "CCN" {
 			params["vpc-id"] = v.(string)
 		}
+
 		if v, ok := d.GetOk("customer_gateway_id"); ok {
 			params["customer-gateway-id"] = v.(string)
 		}
+
 		for k, v := range params {
 			filter := &vpc.Filter{
 				Name:   helper.String(k),
 				Values: []*string{helper.String(v)},
 			}
+
 			idRequest.Filters = append(idRequest.Filters, filter)
 		}
+
 		offset := uint64(0)
 		idRequest.Offset = &offset
 
 		err = resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
 			result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseVpcClient().DescribeVpnConnections(idRequest)
-
 			if e != nil {
-				log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n",
-					logId, idRequest.GetAction(), idRequest.ToJsonString(), e.Error())
+				log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", logId, idRequest.GetAction(), idRequest.ToJsonString(), e.Error())
 				return tccommon.RetryError(e, tccommon.InternalError)
 			} else {
 				if len(result.Response.VpnConnectionSet) == 0 || *result.Response.VpnConnectionSet[0].VpnConnectionId == "" {
@@ -629,7 +650,7 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 	}
 
 	if vpnConnectionId == "" {
-		return fmt.Errorf("VPN connection id is nil")
+		return fmt.Errorf("VPN connection id is nil.")
 	}
 
 	d.SetId(vpnConnectionId)
diff --git a/tencentcloud/services/vpn/resource_tc_vpn_connection.md b/tencentcloud/services/vpn/resource_tc_vpn_connection.md
index db2697eea3..f66d3b89ea 100644
--- a/tencentcloud/services/vpn/resource_tc_vpn_connection.md
+++ b/tencentcloud/services/vpn/resource_tc_vpn_connection.md
@@ -57,5 +57,5 @@ Import
 VPN connection can be imported using the id, e.g.
 
 ```
-$ terraform import tencentcloud_vpn_connection.foo vpnx-nadifg3s
-```
\ No newline at end of file
+$ terraform import tencentcloud_vpn_connection.example vpnx-nadifg3s
+```
diff --git a/website/docs/r/vpn_connection.html.markdown b/website/docs/r/vpn_connection.html.markdown
index 0daff14917..fafaa6511a 100644
--- a/website/docs/r/vpn_connection.html.markdown
+++ b/website/docs/r/vpn_connection.html.markdown
@@ -138,6 +138,6 @@ In addition to all arguments above, the following attributes are exported:
 VPN connection can be imported using the id, e.g.
 
 ```
-$ terraform import tencentcloud_vpn_connection.foo vpnx-nadifg3s
+$ terraform import tencentcloud_vpn_connection.example vpnx-nadifg3s
 ```