Certificate-based VPN using AWS Site-to-Site VPN where customer gateway is behind CGNAT

I see that an IP address is not required for the customer gateway when you make a site to site VPN that is certificate-based, as described here:

https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site

Does this mean that a connection can be made where the client is behind CGNAT? I need a site-to-site VPN from AWS VPN to a remote location where that remote location is using a cellular internet connection that uses CGNAT and isn't publicly addressable.

I have read the post here, but the answer seems a unclear (it states that the IP is optional, but also says it must be static, and if it is behind NAT it must be the public facing IP of the NAT device... but it is optional, so I don't understand why those other requirements are even relevant to the question):

https://repost.aws/questions/QUGJ-vwDbMR9uI8cfIbeWRfA/site-to-site-vpn-with-dynamic-wan-address-lte-starlink-etc

Tópicos

Rede e entrega de conteúdo

Conteúdo relevante

Como faço para acessar a internet usando Site-to-Site VPN na minha rede on-premises?
AWS OFICIALAtualizada há um ano
Como posso obter o roteamento ECMP com vários túneis Site-to-Site VPN associados a um gateway de trânsito?
AWS OFICIALAtualizada há um ano
Por que minha conexão do AWS Site-to-Site VPN está no status INATIVO IPSEC ATIVO quando o gateway do cliente está ATIVO?
AWS OFICIALAtualizada há um ano
Como usar a AWS Site-to-Site VPN para criar uma VPN baseada em certificado?
AWS OFICIALAtualizada há 10 meses