Customer gateway options for your Site-to-Site VPN connection - AWS Site-to-Site VPN

Customer gateway options for your Site-to-Site VPN connection

The following table describes the information you'll need to create a customer gateway resource in AWS.

Item Description

(Optional) The IP address of the customer gateway device's external interface.

The IP address must be static.

If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT-traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See Firewall Rules for more info.

An IP address is not required when you are using a private certificate from AWS Certificate Manager Private Certificate Authority.

The type of routing—static or dynamic.

For more information, see Site-to-Site VPN routing options.

(Dynamic routing only) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway.

ASN in the range of 1 – 2,147,483,647 is supported. You can use an existing public ASN assigned to your network, with the exception of the following:

  • 7224 - Reserved in all Regions

  • 9059 - Reserved in the eu-west-1 Region

  • 10124 - Reserved in the ap-northeast-1 Region

  • 17943 - Reserved in the ap-southeast-1 Region

If you don't have a public ASN, you can use a private ASN in the range of 64,512–65,534. The default ASN is 65000. Customer gateways do not support private ASNs in the range 4,200,000,000 to 4,294,967,294.

(Optional) Private certificate from a subordinate CA using AWS Certificate Manager (ACM)

If you want to use certificate based authentication, provide the ARN of an ACM private certificate that will be used on your customer gateway device.

When you create a customer gateway, you can configure the customer gateway to use AWS Certificate Manager Private Certificate Authority private certificates to authenticate the Site-to-Site VPN.

When you choose to use this option, you create an entirely AWS-hosted private certificate authority (CA) for internal use by your organization. Both the root CA certificate and subordinate CA certificates are stored and managed by ACM Private CA.

Before you create the customer gateway, you create a private certificate from a subordinate CA using AWS Certificate Manager Private Certificate Authority, and then specify the certificate when you configure the customer gateway. For information about creating a private certificate, see Creating and managing a private CA in the AWS Certificate Manager Private Certificate Authority User Guide.