Customer gateway options for your AWS Site-to-Site VPN connection

The following table describes the information you'll need to create a customer gateway resource in AWS.

Item	Description
(Optional) Name tag.	Creates a tag with a key of 'Name' and a value that you specify.
(Dynamic routing only) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway.	ASN in the range of 1–4,294,967,295 is supported. You can use an existing public ASN assigned to your network, with the exception of the following: 7224 — Reserved in all Regions 9059 — Reserved in the `eu-west-1` Region 10124 — Reserved in the `ap-northeast-1` Region 17943 — Reserved in the `ap-southeast-1` Region If you don't have a public ASN, you can use a private ASN in the range of 64,512–65,534 or 4,200,000,000–4,294,967,294. The default ASN is 64512. For more information about routing, see AWS Site-to-Site VPN routing options.
The IP address of the customer gateway device's external interface.	The IP address must be static and can be either IPv4 or IPv6. For IPv4 addresses: If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See Firewall rules for more info. For IPv6 addresses: The address must be a valid, internet-routable IPv6 address. IPv6 addresses are only supported for VPN connections on a transit gateway or Cloud WAN. An IP address is not required when you are using a private certificate from AWS Private Certificate Authority and a public VPN.
(Optional) Private certificate from a subordinate CA using AWS Certificate Manager (ACM).	If you want to use certificate based authentication, provide the ARN of an ACM private certificate that will be used on your customer gateway device. When you create a customer gateway, you can configure the customer gateway to use AWS Private Certificate Authority private certificates to authenticate the Site-to-Site VPN. When you choose to use this option, you create an entirely AWS-hosted private certificate authority (CA) for internal use by your organization. Both the root CA certificate and subordinate CA certificates are stored and managed by AWS Private CA. Before you create the customer gateway, you create a private certificate from a subordinate CA using AWS Private Certificate Authority, and then specify the certificate when you configure the customer gateway. For information about creating a private certificate, see Creating and managing a private CA in the AWS Private Certificate Authority User Guide.
(Optional) Device.	A name for the customer gateway device associated with this customer gateway.

IPv6 customer gateway options

When creating a customer gateway with an IPv6 address, consider the following:

IPv6 customer gateways are only supported for VPN connections on a transit gateway or Cloud WAN.
The IPv6 address must be a valid, internet-routable IPv6 address.
Your customer gateway device must support IPv6 addressing and be able to establish IPsec tunnels with IPv6 endpoints.

To create an IPv6 customer gateway using the AWS CLI, use an IPv6 address for the --ip-address parameter:


aws ec2 create-customer-gateway --ip-address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 --bgp-asn 65051 --type ipsec.1 --region us-west-1

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Turn tunnel endpoint lifecycle control off

Accelerated VPN connections