CreateCustomerGateway - Amazon Elastic Compute Cloud


Provides information to AWS about your VPN customer gateway device. The customer gateway is the appliance at your end of the VPN connection. (The device on the AWS side of the VPN connection is the virtual private gateway.) You must provide the internet-routable IP address of the customer gateway's external interface. The IP address must be static and can be behind a device performing network address translation (NAT).

For devices that use Border Gateway Protocol (BGP), you can also provide the device's BGP Autonomous System Number (ASN). You can use an existing ASN assigned to your network. If you don't have an ASN already, you can use a private ASN (in the 64512 - 65534 range).


Amazon EC2 supports all 4-byte ASN numbers in the range of 1 - 2147483647, with the exception of the following:

  • 7224 - reserved in the us-east-1 Region

  • 9059 - reserved in the eu-west-1 Region

  • 17943 - reserved in the ap-southeast-1 Region

  • 10124 - reserved in the ap-northeast-1 Region

For more information, see AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.


To create more than one customer gateway with the same VPN type, IP address, and BGP ASN, specify a unique device name for each customer gateway. Identical requests return information about the existing customer gateway and do not create new customer gateways.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


For devices that support BGP, the customer gateway's BGP ASN.

Default: 65000

Type: Integer

Required: Yes


The Amazon Resource Name (ARN) for the customer gateway certificate.

Type: String

Required: No


A name for the customer gateway device.

Length Constraints: Up to 255 characters.

Type: String

Required: No


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


The Internet-routable IP address for the customer gateway's outside interface. The address must be static.

Type: String

Required: No


The tags to apply to the customer gateway.

Type: Array of TagSpecification objects

Required: No


The type of VPN connection that this customer gateway supports (ipsec.1).

Type: String

Valid Values: ipsec.1

Required: Yes

Response Elements

The following elements are returned by the service.


Information about the customer gateway.

Type: CustomerGateway object


The ID of the request.

Type: String


For information about the errors that are common to all actions, see Common client error codes.



This example creates a customer gateway with the name my-device, the IP address, and BGP ASN 65534.

Sample Request &Type=ipsec.1 &PublicIp= &BgpAsn=65534 &DeviceName=my-device &AUTHPARAMS

Sample Response

<CreateCustomerGatewayResponse xmlns=""> <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId> <customerGateway> <customerGatewayId>cgw-11223344556677abc</customerGatewayId> <state>pending</state> <type>ipsec.1</type> <ipAddress></ipAddress> <bgpAsn>65534</bgpAsn> <deviceName>my-device</deviceName> <tagSet/> </customerGateway> </CreateCustomerGatewayResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: