AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-03-26 · Documentation medium

File: vpn/latest/s2svpn/private-ip-dx-steps.md

Summary

Added configuration guidance about using RFC 1918 addresses and avoiding point-to-point IPs for eBGP peering in AWS Private IP VPN setups

Security assessment

The change adds security best practices documentation about proper IP addressing to prevent misconfiguration. While it enhances security posture, there's no direct evidence it addresses a specific known vulnerability.

Diff

diff --git a/vpn/latest/s2svpn/private-ip-dx-steps.md b/vpn/latest/s2svpn/private-ip-dx-steps.md
index 2abfd38cb..577b0cdb6 100644
--- a/vpn/latest/s2svpn/private-ip-dx-steps.md
+++ b/vpn/latest/s2svpn/private-ip-dx-steps.md
@@ -42,0 +43,6 @@ A customer gateway is a resource that you create in AWS. It represents the custo
+###### Important
+
+When configuring AWS Private IP AWS Site-to-Site VPN, you must specify your own tunnel endpoint IP addresses using RFC 1918 addresses. Do not use the point-to-point IP addresses for the eBGP peering between your customer gateway router and the AWS Direct Connect endpoint. AWS recommends using a loopback or LAN interface on your customer gateway router as the source or destination address instead of point-to-point connections.
+
+For more information about RFC 1918, see [Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918).
+