AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-07-04 · Documentation low

File: vpn/latest/s2svpn/cgw-options.md

Summary

Updated customer gateway IP address requirements to include IPv6 support and added dedicated IPv6 customer gateway configuration section

Security assessment

The changes expand documentation for IPv6 compatibility, including technical requirements for internet-routable addresses and device capabilities. While IPsec is mentioned, this reflects standard VPN configuration rather than new security features or vulnerability fixes.

Diff

diff --git a/vpn/latest/s2svpn/cgw-options.md b/vpn/latest/s2svpn/cgw-options.md
index d9c112532..0c71e7068 100644
--- a//vpn/latest/s2svpn/cgw-options.md
+++ b//vpn/latest/s2svpn/cgw-options.md
@@ -4,0 +5,2 @@
+IPv6 customer gateway options
+
@@ -20 +22 @@ If you don't have a public ASN, you can use a private ASN in the range of 64,512
-The IP address of the customer gateway device's external interface. |  The IP address must be static. If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See [Firewall rules](./FirewallRules.html) for more info. An IP address is not required when you are using a private certificate from AWS Private Certificate Authority and a public VPN.  
+The IP address of the customer gateway device's external interface. |  The IP address must be static and can be either IPv4 or IPv6. For IPv4 addresses: If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See [Firewall rules](./FirewallRules.html) for more info. For IPv6 addresses: The address must be a valid, internet-routable IPv6 address. IPv6 addresses are only supported for VPN connections on a transit gateway or Cloud WAN. An IP address is not required when you are using a private certificate from AWS Private Certificate Authority and a public VPN.  
@@ -23,0 +26,17 @@ The IP address of the customer gateway device's external interface. |  The IP ad
+## IPv6 customer gateway options
+
+When creating a customer gateway with an IPv6 address, consider the following:
+
+  * IPv6 customer gateways are only supported for VPN connections on a transit gateway or Cloud WAN.
+
+  * The IPv6 address must be a valid, internet-routable IPv6 address.
+
+  * Your customer gateway device must support IPv6 addressing and be able to establish IPsec tunnels with IPv6 endpoints.
+
+  * To create an IPv6 customer gateway using the AWS CLI, use an IPv6 address for the `--ip-address` parameter:
+    
+        aws ec2 create-customer-gateway --ip-address 2001:0db8:85a3:0000:0000:8a2e:0370:7334 --bgp-asn 65051 --type ipsec.1 --region us-west-1
+
+
+
+