Customer gateway options for your AWS Site-to-Site VPN connection

The following table describes the information you'll need to create a customer gateway resource in AWS.

Item	Description
(Optional) Name tag.	Creates a tag with a key of 'Name' and a value that you specify.
(Dynamic routing only) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway.	ASN in the range of 1–4,294,967,295 is supported. You can use an existing public ASN assigned to your network, with the exception of the following: 7224 — Reserved in all Regions 9059 — Reserved in the `eu-west-1` Region 10124 — Reserved in the `ap-northeast-1` Region 17943 — Reserved in the `ap-southeast-1` Region If you don't have a public ASN, you can use a private ASN in the range of 64,512–65,534 or 4,200,000,000–4,294,967,294. The default ASN is 64512. For more information about routing, see AWS Site-to-Site VPN routing options.
(Optional) The IP address of the customer gateway device's external interface.	The IP address must be static. If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See Firewall rules for more info. An IP address is not required when you are using a private certificate from AWS Private Certificate Authority and a public VPN.
(Optional) Private certificate from a subordinate CA using AWS Certificate Manager (ACM).	If you want to use certificate based authentication, provide the ARN of an ACM private certificate that will be used on your customer gateway device. When you create a customer gateway, you can configure the customer gateway to use AWS Private Certificate Authority private certificates to authenticate the Site-to-Site VPN. When you choose to use this option, you create an entirely AWS-hosted private certificate authority (CA) for internal use by your organization. Both the root CA certificate and subordinate CA certificates are stored and managed by AWS Private CA. Before you create the customer gateway, you create a private certificate from a subordinate CA using AWS Private Certificate Authority, and then specify the certificate when you configure the customer gateway. For information about creating a private certificate, see Creating and managing a private CA in the AWS Private Certificate Authority User Guide.
(Optional) Device.	A name for the customer gateway device associated with this customer gateway.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Turn tunnel endpoint lifecycle control off

Accelerated VPN connections