AWS Site-to-Site VPN now Supports Certificate Authentication

Posted on: Aug 16, 2019

AWS Site-to-Site Virtual Private Network (AWS Site-to-Site VPN) now supports digital certificates for Internet Key Exchange (IKE) authentication, so for AWS Site-to-Site VPN connections, you can now use private certificates from AWS Certificate Manager instead of pre-shared keys. This enables you to take advantage of the added security and flexibility that digital certificates offer.

To use certificates with your VPN connections, you need to first create a subordinate Certificate Authority (CA) from AWS Certificate Manager Private Certificate Authority. Generate a digital certificate from the CA you created to use on your customer gateway device. When using certificates for authentication, you do not need to specify an IP address for your customer gateway so you can update the IP address of your device without having to reconfigure the VPN connection. If you use a customer gateway with certificates, all new VPN connections created with this gateway will create additional certificates from the same subordinate CA for use on the VPN endpoints (tunnels). You may also modify existing VPN connections to use a new customer gateway.

AWS Site-to-Site VPN certificate authentication is now available in these AWS Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), EU (Ireland), EU (Frankfurt), EU (London), EU (Paris), Asia Pacific (Singapore), Asia Pacific (Hong Kong), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Mumbai), and Canada (Central), and both AWS GovCloud (US) Regions. For more information about AWS Site-to-Site VPN, see the product page and documentation. For details and pricing for AWS Certificate Manager, see the product page.