A customer gateway represents your on-premises gateway device in an IPsec-VPN connection. When you create one, you register the device IP address and autonomous system number (ASN) with Alibaba Cloud. A customer gateway works with an IPsec-VPN connection and a VPN gateway or transit router to form a complete VPN tunnel.
Prerequisites
Have the following information ready:
| Item | Details |
|---|---|
| Static IP address | Public IP for a public connection; private IP for a private connection |
| ASN (optional) | Required only for BGP dynamic routing |
Constraints
IP address constraints
The following IP ranges are not supported:
| Range | Type |
|---|---|
| 100.64.0.0–100.127.255.255 | Shared address space |
| 127.0.0.0–127.255.255.255 | Loopback |
| 169.254.0.0–169.254.255.255 | Link-local |
| 224.0.0.0–239.255.255.255 | Multicast |
| 255.0.0.0–255.255.255.255 | Reserved |
ASN constraints
| Constraint | Details |
|---|---|
| Valid range | 1–4,294,967,295 |
| Reserved | 45104 (Alibaba Cloud ASN) — reserved |
| Two-segment format | Enter as first 16 bits, a period, and last 16 bits in decimal. For example, 123.456 equals 123 × 65,536 + 456 = 8,061,384 |
Region constraint
The customer gateway must be in the same region as the associated VPN gateway or transit router.
Create a customer gateway
Console
-
Go to the Customer Gateway page in the VPN Gateway console. Select the target region.
-
Click Create Customer Gateway and configure the following parameters.
Parameter Description Example IP Address Static IP address of your on-premises gateway device. See Constraints for unsupported ranges. 203.0.113.1ASN ASN of your on-premises device. Required only for BGP. Cannot be 45104.65001 -
Click OK.
API
Call the CreateCustomerGateway operation with the following parameters:
| Parameter | Required | Description |
|---|---|---|
RegionId |
Yes | ID of the region where you want to create the customer gateway. Call DescribeRegions to get region IDs. |
IpAddress |
Yes | Static IP address of your on-premises gateway device. |
Asn |
No | ASN of your on-premises gateway device. |
Delete a customer gateway
Before deleting a customer gateway, delete all associated IPsec-VPN connections:
Console
-
Go to the Customer Gateway page in the VPN Gateway console. Select the target region.
-
Find the target customer gateway. In the Actions column, click Delete and confirm the deletion.
API
Call the DeleteCustomerGateway operation with the following parameters:
| Parameter | Required | Description |
|---|---|---|
RegionId |
Yes | ID of the region where the customer gateway is located. Call DescribeRegions to get region IDs. |
CustomerGatewayId |
Yes | ID of the customer gateway to delete. Call DescribeCustomerGateways to get customer gateway IDs. |
Modify IP address or ASN
You cannot modify the IP address or ASN of an existing customer gateway.
Changing the IP address or ASN requires recreating the customer gateway, which disrupts all associated IPsec-VPN connections.
To change the IP address or ASN:
-
Delete all associated IPsec-VPN connections.
-
Delete the customer gateway.
-
Create a new customer gateway with the updated IP address or ASN.
-
Recreate the IPsec-VPN connections using the new customer gateway.
Billing
Customer gateways are free. You are charged for IPsec-VPN connections based on the attached resource type. See IPsec-VPN billing.
What to do next
After creating a customer gateway, create an IPsec-VPN connection: