All Products
Search
Document Center

VPN Gateway:Customer Gateway

Last Updated:May 13, 2026

A customer gateway represents your on-premises gateway device in an IPsec-VPN connection. When you create one, you register the device IP address and autonomous system number (ASN) with Alibaba Cloud. A customer gateway works with an IPsec-VPN connection and a VPN gateway or transit router to form a complete VPN tunnel.

Prerequisites

Have the following information ready:

Item Details
Static IP address Public IP for a public connection; private IP for a private connection
ASN (optional) Required only for BGP dynamic routing

Constraints

IP address constraints

The following IP ranges are not supported:

Range Type
100.64.0.0–100.127.255.255 Shared address space
127.0.0.0–127.255.255.255 Loopback
169.254.0.0–169.254.255.255 Link-local
224.0.0.0–239.255.255.255 Multicast
255.0.0.0–255.255.255.255 Reserved

ASN constraints

Constraint Details
Valid range 1–4,294,967,295
Reserved 45104 (Alibaba Cloud ASN) — reserved
Two-segment format Enter as first 16 bits, a period, and last 16 bits in decimal. For example, 123.456 equals 123 × 65,536 + 456 = 8,061,384

Region constraint

The customer gateway must be in the same region as the associated VPN gateway or transit router.

Create a customer gateway

Console

  1. Go to the Customer Gateway page in the VPN Gateway console. Select the target region.

  2. Click Create Customer Gateway and configure the following parameters.

    Parameter Description Example
    IP Address Static IP address of your on-premises gateway device. See Constraints for unsupported ranges. 203.0.113.1
    ASN ASN of your on-premises device. Required only for BGP. Cannot be 45104. 65001
  3. Click OK.

API

Call the CreateCustomerGateway operation with the following parameters:

Parameter Required Description
RegionId Yes ID of the region where you want to create the customer gateway. Call DescribeRegions to get region IDs.
IpAddress Yes Static IP address of your on-premises gateway device.
Asn No ASN of your on-premises gateway device.

Delete a customer gateway

Before deleting a customer gateway, delete all associated IPsec-VPN connections:

Console

  1. Go to the Customer Gateway page in the VPN Gateway console. Select the target region.

  2. Find the target customer gateway. In the Actions column, click Delete and confirm the deletion.

API

Call the DeleteCustomerGateway operation with the following parameters:

Parameter Required Description
RegionId Yes ID of the region where the customer gateway is located. Call DescribeRegions to get region IDs.
CustomerGatewayId Yes ID of the customer gateway to delete. Call DescribeCustomerGateways to get customer gateway IDs.

Modify IP address or ASN

You cannot modify the IP address or ASN of an existing customer gateway.

Important

Changing the IP address or ASN requires recreating the customer gateway, which disrupts all associated IPsec-VPN connections.

To change the IP address or ASN:

  1. Delete all associated IPsec-VPN connections.

  2. Delete the customer gateway.

  3. Create a new customer gateway with the updated IP address or ASN.

  4. Recreate the IPsec-VPN connections using the new customer gateway.

Billing

Customer gateways are free. You are charged for IPsec-VPN connections based on the attached resource type. See IPsec-VPN billing.

What to do next

After creating a customer gateway, create an IPsec-VPN connection: