On Managed VPN, why did you say that Customer Gateway has to be created on the AWS? I believe VPG is what we create on AWS side and Customer Gateway is built on-premises. Am I wrong?
4 Answers
What Is a Customer Gateway?
An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
In other words with Customer Gateway you describe your onsite equipment IP address and give the name like HQFirewall1.
https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html
You are creating a configuration "container" or a "resource" in AWS – check the documentation below for diagrams and such. It’s a bit confusing, but it’s not that you create the customer side gateway in AWS. You need to create that resource in AWS first, so you can get the configuration parameters to use when setting up your end gateway device/appliance.
"To create a Site-to-Site VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. The following table describes the information you’ll need to create a customer gateway resource."
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
Hope this helps!
Hello Suneel,
The term "Customer Gateway" can be a bit confusing. In you environment it is a device, but in terms of setup it is a configuration in the AWS console or CLI.
You create it on the AWS system to allow AWS to identify that you plan to make a connection, where you plan to connect from and how. In response AWS gives you specific configuration data that you will use when you define the virtual address on your on-prem physical device. In reality this is very much like the process you would use with a network provider where you exchange configuration information so that the devices on both sides of the connection can be configured to work together.
I think the CLI doc captures it quite well.
Plus the links provided above are also good reading to help you have a solid understanding for future work situations and to prepare for the exams.
Rusty
Moderator & Coach
I have never liked this part of AWS networking. It’s confusing to the point of being wrong. AWS’s term "Customer Gateway" is a resource at AWS (not in the customer’s network), yet in all drawings the Customer Gateway is shown on the customer’s network. That does not make sense. They are using the same term for two different things. Who made that decision?
AWS needs a separate term for the resource (hardware or software) that terminates the VPN connection at the customer’s network. Maybe something like "Customer VPN", "Customer VPN Endpoint", "Customer VPN device". Pretty much anything but "Customer Gateway". The diagrams also show the Customer Gateway to be at the customer’s side of the network connection. That’s gotta confuse people learning about AWS! If I follow the instruction I setup the customer gateway at AWS. I then look at the drawing from AWS and it shows the Customer Gateway on my corporate network — huh??
I know we can’t solve the problem, but it would help if ACG would call this out in courses to make sure it’s understood this is a confusing topic.