ISP blocks inbound traffic. Can I still create VPN connection to AWS / VPC?

My ISP blocks ALL in-bound traffic. It looks like setting up a VPC with AWS requires AWS to initiate the connection to my EdgeRouter. Is there any way to make my EdgeRouter INITIATE and maintain the connection to AWS / VPC? Which type of VPN connection is recommended for this. The goal is to be able to maintain site-to-site connection so I can VPN into my VPC and gain access to resources @ home (via the EdgeRouter)

Have you asked your ISP whether they can set up a DMZ on a specific private IP address for you?

AWS site-to-site VPN connections are by defailt initiated by the non-AWS party. https://docs.aws.amazon.com/vpn/latest/s2svpn/initiate-vpn-tunnels.html

if you press them, you’ll discover that it is really impossible in a practical sense to initiate the connection from the AWS side in an automated way with error recovery and error reporting. kudos for their VPN support team for being honest about this. but they should change the documentation to say that initiation *must* come from the remote side. or else add it as a new feature.

Didn’t they recently release that feature? Or are you saying it’s not all it’s cracked up to be?

i’m saying (as informed by AWS VPN support only last week) that it is so far beyond practical to initiate a VPN connection from the AWS VPG side that you should consider it impossible. to wit:

  1. can you confirm that there is no explicit manual way (from either the AWS web console or the CLI) to invoke a negotiation/connection when the state of a VPN tunnel is ‘DOWN’?

There is currently not option to do this, however I have added your voice to the feature request to enable customers to “bounce” the tunnel from the AWS console.

  1. can you confirm that a trivial modification of VPN tunnel option, e.g. the removal or addition of an unused negotiation choice, would trigger a negotiation/connection?

You can simply click on the modify tunnel option and save without making any changes. This will modify the VPN Endpoint, which triggers a replacement of the node, which will trigger the startup action.

  1. what configuration would you suggest to have an AWS VPN always attempt a negotiation/connection when the tunnel state was ‘DOWN’, retry this attempt a certain number of times, and then notify the AWS client (e.g. via email and an SNS-triggered SMS message) if none of the connection attempts succeeded?

Unfortunately the current feature does not have a retry function, so if the initial attempt fails, there will be no successive attempts.

With regards to having a notification regarding a failed attempt, this is impossible to configure at this time as there are no logs in CloudWatch for VPN logs. I have added your case to the feature request to have this type of visibility in the AWS Console.

  1. what AWS logs accessible by the AWS client expose the details of ISAKMP negotiation and IPSEC VPN connection attempts and post-connection tunnel events?

Unfortunately there are no logs currently available within CloudWatch for VPN connections, however I have added your case to the existing feature request.

So I think some of what you are looking for is possible now.

But the lack of logging has proven troubling in the past for me as well. Support can see more than we can but it does seem like an easy add to expose the AWS side logs. I will ask our TAM to +1 this PFR as well.

it attempts to connect once. never retries. and there is no way to see what’s going on. so not a ‘real’ feature (yet). as they said, they are working on it.