Configure IPsec-VPN Customer Gateways - VPN Gateway

A customer gateway is a resource that defines your on-premises gateway device for an IPsec-VPN connection. By creating a customer gateway, you register the IP address and autonomous system number (ASN) of your on-premises device with Alibaba Cloud. Your device can use only the registered IP address and ASN to establish an IPsec-VPN connection with Alibaba Cloud. A customer gateway works with an IPsec-VPN connection, a VPN Gateway, or a transit router (TR) to form a complete VPN tunnel.

Create a customer gateway

Console

Navigate to the Customer Gateway page on the VPN Gateway console. In the top navigation bar, select the region where you want to create the customer gateway. The customer gateway must be in the same region as the associated VPN Gateway instance or transit router instance.
Click Create Customer Gateway, set the following parameters, and click OK.
- IP Address: To create a public IPsec-VPN connection, enter the static public IP address of the gateway device in your on-premises data center. To create a private IPsec-VPN connection, enter the static private IP address of the gateway device in your on-premises data center.
  
  The following IP address ranges are not supported: 100.64.0.0 to 100.127.255.255; 127.0.0.0 to 127.255.255.255; 169.254.0.0 to 169.254.255.255; 224.0.0.0 to 239.255.255.255; 255.0.0.0 to 255.255.255.255.
- ASN: If you plan to enable Border Gateway Protocol (BGP), enter the autonomous system number (ASN) of the gateway device in your on-premises data center.
  - Valid values: 1 to 4,294,967,295. The ASN cannot be 45104, which is the ASN of Alibaba Cloud.
  - You can enter the ASN in a two-segment format: the first 16 bits followed by the last 16 bits, separated by a period. Enter each segment in decimal format. For example, if you enter 123.456, the ASN is calculated as 123 × 65536 + 456 = 8061384.

API

Call the CreateCustomerGateway operation:

Set the RegionId parameter to the ID of the region where you want to create the customer gateway. You can call the DescribeRegions operation to obtain region IDs. The region of the customer gateway must be the same as the region of the VPN Gateway instance or the transit router instance.
Set the IpAddress parameter to the static IP address of the gateway device in your on-premises data center.
(Optional) Set the Asn parameter to the ASN of the gateway device in your on-premises data center.

After you create a customer gateway, you can create an IPsec-VPN connection. For more information, refer to the following topics:

Modify an IP address or ASN

You cannot directly modify the IP address or ASN of a customer gateway. To change the IP address or ASN, delete the customer gateway and create a new one.

Delete a customer gateway

Before you delete a customer gateway, ensure that it is not associated with any IPsec-VPN connections. For more information, refer to the following topics:

Console

Navigate to the Customer Gateway page on the VPN Gateway console. In the top navigation bar, select the region where the customer gateway is located.
Find the customer gateway that you want to delete. In the Actions column, click Delete and confirm the deletion.

API

Call the DeleteCustomerGateway operation:

Set the RegionId parameter to the ID of the region of the customer gateway. You can call the DescribeRegions operation to obtain region IDs.
Set the CustomerGatewayId parameter to the ID of the customer gateway that you want to delete. You can call the DescribeCustomerGateways operation to obtain the IDs of existing customer gateways.

Billing

Customer gateways are free of charge. After you use a customer gateway to create an IPsec-VPN connection, you are charged for the IPsec-VPN connection based on the attached resource type. For more information, refer to IPsec-VPN billing.