AWS vpn documentation change
Summary
Added configuration guidance about using RFC 1918 addresses and avoiding point-to-point IPs for eBGP peering in AWS Private IP VPN setups
Security assessment
The change adds security best practices documentation about proper IP addressing to prevent misconfiguration. While it enhances security posture, there's no direct evidence it addresses a specific known vulnerability.
Diff
diff --git a/vpn/latest/s2svpn/private-ip-dx-steps.md b/vpn/latest/s2svpn/private-ip-dx-steps.md index 2abfd38cb..577b0cdb6 100644 --- a/vpn/latest/s2svpn/private-ip-dx-steps.md +++ b/vpn/latest/s2svpn/private-ip-dx-steps.md @@ -42,0 +43,6 @@ A customer gateway is a resource that you create in AWS. It represents the custo +###### Important + +When configuring AWS Private IP AWS Site-to-Site VPN, you must specify your own tunnel endpoint IP addresses using RFC 1918 addresses. Do not use the point-to-point IP addresses for the eBGP peering between your customer gateway router and the AWS Direct Connect endpoint. AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of point-to-point connections. + +For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918). +