Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disconnect on timeout not set for client VPN endpoint #6918

Open
dsotirho-ucsc opened this issue Feb 20, 2025 · 1 comment
Open

Disconnect on timeout not set for client VPN endpoint #6918

dsotirho-ucsc opened this issue Feb 20, 2025 · 1 comment
Assignees
@dsotirho-ucsc
Labels
-- [priority] Low debt [type] A defect incurring continued engineering cost infra [subject] Project infrastructure like CI/CD, build and deployment scripts orange [process] Done by the Azul team

Comments

@dsotirho-ucsc
Copy link
Contributor

Our client VPN endpoints are currently use the default value (disabled) for the Disconnect on session timeout setting On April 30th, AWS will be changing the default value to enabled for newly created client VPNs (see below).

We need to see what the consequences of enabling Disconnect on session timeout would be.

Note: Terraform currently does not offer a resource attribute for this setting.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_endpoint

From AWS:

Starting April 30, 2025, the default behavior for new AWS Client VPN [1] endpoints will change from disconnect-on-session-timeout=false to disconnect-on-session-timeout=true. This means that for new Client VPN endpoints created after April 30, 2025, if an administrator has set a maximum session duration time [2], users will need to manually reconnect to the VPN once their session expires. You can override this default behavior by specifying disconnect-on-session-timeout=false for any Client VPN endpoint.

Existing Client VPN endpoints created prior to April 30, 2025, will not be affected by this change. You can use the DescribeClientVpnEndpoints API [3] to view the current value, and the ModifyClientVpnEndpoint API [4] to change this setting for existing endpoints.

Disconnect on session timeout: This flag will disconnect your connection on session timeout which requires users to reconnect again manually. If disabled, Client VPN will attempt to reconnect the session after timeout automatically.
@dsotirho-ucsc dsotirho-ucsc added the orange [process] Done by the Azul team label Feb 20, 2025
@hannes-ucsc
Copy link
Member

hannes-ucsc commented Feb 20, 2025
edited by dsotirho-ucsc
Loading

Surely, TF support will be added soon. Assignee to monitor the TF provider documentation.

Once support is available, I'd like to test what effect enabling the setting has on the VPN client. The test should use a short session timeout. We have a mandate to implement a session timeout but there is no mandate to prevent clients from automatically reconnecting after the session times out. Enabling pro-active disconnects might actual help with VPN clients maintain persistent connectivity (my client gets stuck at times, preventing it from reconnecting).

@hannes-ucsc hannes-ucsc added debt [type] A defect incurring continued engineering cost infra [subject] Project infrastructure like CI/CD, build and deployment scripts -- [priority] Low and removed debt [type] A defect incurring continued engineering cost labels Feb 20, 2025
@dsotirho-ucsc dsotirho-ucsc self-assigned this Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dsotirho-ucsc dsotirho-ucsc

Labels
-- [priority] Low debt [type] A defect incurring continued engineering cost infra [subject] Project infrastructure like CI/CD, build and deployment scripts orange [process] Done by the Azul team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannes-ucsc @dsotirho-ucsc