Managed VPN feature support

Answers are in-line:

1. Traffic needs to be SNAT’ed to a public IP address different than the VPN PEER IP address before is encapsulated into IPSec.

On CGW yes you can SNAT the traffic. On VGW (AWS VPN) they cannot NAT. For NATing on CGW, only caveat is not to use CGW Public IP for SNAT

2. Traffic needs to be SNAT’ed to a specific private IP address.

Same as 1

3. The destination IP address (Server IP address on the VPN PEER IP address) on the other side of the VPN can be accessible through more than one tunnel in a active-standby or in an active-active model.

AWS VPN landing on TGW support Active/Active mode. However, AWS VPNs on VGW can only push traffic via one tunnel for VPC -> On-prem traffic, but can accept traffic on both the tunnel (on-prem to AWS VPN) . Either way if they are trying to access EC2 from on-prem that can access from any tunnel.

4. The device needs to be able to perform DNS resolution.

Yes, this would work. This is site-to-site VPN and DNS resolution should work as long as DNS IPs are accessible via VPN

5. The devices need to support IKEv1 and IKEv2.

All newly created VPNs should have support for IKEv1 and IKEv2

6. The devices should support AES256 in IKE and IPSec.

Yes, AWS VPN supports this

7. The devices should support SHA-1 in IKE and IPSec. Yes, AWS VPN supports this

8. The devices should support Diffie-Hellman 1, 2 and 14.

Phase 1 supports DH groups 2, 14-18, 22, 23, and 24.
Phase 2 supports DH groups 2, 5, 14-18, 22, 23, and 24.