AWS Site-to-Site VPN
User Guide

Customer Gateway Options for Your Site-to-Site VPN Connection

The following table describes the information you'll need to create a customer gateway resource.

Item Description

(Optional) Internet-routable IP address (static) of the customer gateway devices external interface.

The public IP address value must be static. If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.

This is not required when you are using a private certificate from AWS Certificate Manager Private Certificate Authority.

The type of routing—static or dynamic.

For more information, see Site-to-Site VPN Routing Options.

(Dynamic routing only) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway.

You can use an existing ASN assigned to your network. If you don't have one, you can use a private ASN (in the 64512–65534 range).

If you use the VPC wizard in the console to set up your VPC, we automatically use 65000 as the ASN.

(Optional) Private certificate from a subordinate CA using AWS Certificate Manager (ACM)

If you want to use certificate based authentication, provide the ARN of an ACM private certificate that will be used on your customer gateway device.

When you create a customer gateway, you can configure the customer gateway to use AWS Certificate Manager Private Certificate Authority private certificates to authenticate the Site-to-Site VPN.

When you choose to use this option, you create an entirely AWS-hosted private certificate authority (CA) for internal use by your organization. Both the root CA certificate and subordinate CA certificates are stored and managed by ACM Private CA.

Before you create the customer gateway, you create a private certificate from a subordinate CA using AWS Certificate Manager Private Certificate Authority, and then specify the certificate when you configure the customer gateway. For information about creating a private certificate, see Creating and Managing a Private CA in the AWS Certificate Manager Private Certificate Authority User Guide.