Posted On: Mar 20, 2020

AWS Site-to-Site Virtual Private Network (AWS Site-to-Site VPN) now supports digital certificates for Internet Key Exchange (IKE) authentication for VPN connections to an AWS Transit Gateway. This enables you to take advantage of the added security and flexibility that digital certificates offer, for all Site-to-Site VPN connections.  

To use certificates with your VPN connections, you first create a subordinate Certificate Authority (CA) from AWS Certificate Manager Private Certificate Authority. Then, generate a digital certificate from the CA you created to use on your customer gateway device. When using certificates for authentication, you do not need to specify an IP address for your customer gateway. As a result, you can update the IP address of your device without having to reconfigure the VPN connection. If you use a customer gateway with certificates, all new VPN connections created with this gateway will create additional certificates from the same subordinate CA for use on the VPN endpoints (tunnels). You may also modify existing VPN connections to use a new customer gateway. 

AWS Site-to-Site VPN certificate authentication is available in these AWS Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), EU (Ireland), EU (Frankfurt), EU (London), EU (Paris), Asia Pacific (Singapore), Asia Pacific (Hong Kong), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Mumbai), and Canada (Central) Regions.  For more information about AWS Site-to-Site VPN, see the product page and documentation. For details and pricing for AWS Certificate Manager, see the product page.