Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.


Provides information to AWS about your VPN customer gateway device. The customer gateway is the appliance at your end of the VPN connection. (The device on the AWS side of the VPN connection is the virtual private gateway.) You must provide the Internet-routable IP address of the customer gateway's external interface. The IP address must be static and can be behind a device performing network address translation (NAT).

For devices that use Border Gateway Protocol (BGP), you can also provide the device's BGP Autonomous System Number (ASN). You can use an existing ASN assigned to your network. If you don't have an ASN already, you can use a private ASN (in the 64512 - 65534 range).


Amazon EC2 supports all 2-byte ASN numbers in the range of 1 - 65534, with the exception of 7224, which is reserved in the us-east-1 Region, and 9059, which is reserved in the eu-west-1 Region.

For more information, see AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.


You cannot create more than one customer gateway with the same VPN type, IP address, and BGP ASN parameter values. If you run an identical request more than one time, the first request creates the customer gateway, and subsequent requests return information about the existing customer gateway. The subsequent requests do not create new customer gateway resources.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


For devices that support BGP, the customer gateway's BGP ASN.

Default: 65000

Type: Integer

Required: Yes


The Amazon Resource Name (ARN) for the customer gateway certificate.

Type: String

Required: No


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


The Internet-routable IP address for the customer gateway's outside interface. The address must be static.

Type: String

Required: No


The type of VPN connection that this customer gateway supports (ipsec.1).

Type: String

Valid Values: ipsec.1

Required: Yes

Response Elements

The following elements are returned by the service.


Information about the customer gateway.

Type: CustomerGateway object


The ID of the request.

Type: String


For information about the errors that are common to all actions, see Common Client Errors.



This example passes information to AWS about the customer gateway with the IP address and BGP ASN 65534.

Sample Request &Type=ipsec.1 &IpAddress= &BgpAsn=65534 &AUTHPARAMS

Sample Response

<CreateCustomerGatewayResponse xmlns=""> <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId> <customerGateway> <customerGatewayId>cgw-b4dc3961</customerGatewayId> <state>pending</state> <type>ipsec.1</type> <ipAddress></ipAddress> <bgpAsn>65534</bgpAsn> <tagSet/> </customerGateway> </CreateCustomerGatewayResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: