You are correct, if you are using cert based authentication for VPN (and not PSK) the CGW IP is optional. That being said every time the CGW external (dynamic IP) changes the Tunnel will be torn down and need to be re-initiated. Please note tunnel initiation from CGW is supported only with IKEv2.
(Optional) The IP address of the customer gateway device's external interface.
The IP address must be static.
If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT-traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See Firewall Rules for more info.
An IP address is not required when you are using a private certificate from AWS Certificate Manager Private Certificate Authority.
If there is a way for you to do Static NAT (1:1) that might be a better way, with this the CGW external IP would be Static.
Q: Can I NAT my customer gateway behind a router or firewall?
A: You will use the public IP address of your NAT device.
Hope this helps.
How can I make a third-party cloud vpn connection?asked a month ago
AWS VPN with Private IP addressAccepted Answerasked 2 months ago
Can I delete one VPN tunnel from site-to-site VPN connection ?asked 5 months ago
Site to Site VPN Issueasked 5 months ago
multiple VPN connections with same VPCAccepted Answerasked 4 years ago
Is it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?Accepted Answerasked 2 years ago
VPN Connection Public IPAccepted AnswerEXPERTasked 2 years ago
Site-to-Site VPN with dynamic WAN address (LTE, Starlink, etc)Accepted Answerasked a month ago
Need a VPN solutionasked 5 months ago
convert Dynamic IP address to Static IPasked 2 years ago