How to configure IoT edge for Site-to-Site VPN without Internet.

Hi,

I have an on-premise server running RHEL 8 OS. This VM has no internet connectivity and can only connect to cloud IoT Hub using port 443 and 5671 and Container registry using port 443 through site-to-site VPN connectivity.

I have followed this offline installation step - https://video2.skills-academy.com/en-us/azure/iot-edge/how-to-provision-single-device-linux-symmetric?view=iotedge-1.4&tabs=azure-portal%2Crhel#offline-or-specific-version-installation-optional, to install the IoT edge runtime and other dependencies. There is only a single device configured and there are no child devices.

I am aware that, if the iot-edge server has Internet connectivity then it pulls some container images from Microsoft like - mcr.microsoft.com/azureiotedge-agent and mcr.microsoft.com/azureiotedge-diagnostics. But since my server don't have internet connectivity these images are not automatically pulled in docker. I don't see any repository on running -. sudo docker images command.

REPOSITORY   TAG       IMAGE ID   CREATED   SIZE

On running sudo iotedge system status, this is the result.

System services:
    aziot-edged             Running
    aziot-identityd         Running
    aziot-keyd              Running
    aziot-certd             Running
    aziot-tpmd              Ready

On running the sudo iotedge check command following is the result:

Configuration checks (aziot-identity-service)
---------------------------------------------
√ keyd configuration is well-formed - OK
√ certd configuration is well-formed - OK
√ tpmd configuration is well-formed - OK
√ identityd configuration is well-formed - OK
√ daemon configurations up-to-date with config.toml - OK
√ identityd config toml file specifies a valid hostname - OK
× aziot-identity-service package is up-to-date - Error
    could not query https://aka.ms/latest-aziot-identity-service for latest available version
‼ host time is close to reference time - Warning
    Could not query NTP server
√ production readiness: identity certificates expiry - OK
√ preloaded certificates are valid - OK
√ keyd is running - OK
√ certd is running - OK
√ identityd is running - OK
√ read all preloaded certificates from the Certificates Service - OK
√ read all preloaded key pairs from the Keys Service - OK
√ check all EST server URLs utilize HTTPS - OK
√ ensure all preloaded certificates match preloaded private keys with the same ID - OK

Connectivity checks (aziot-identity-service)
--------------------------------------------
√ host can connect to and perform TLS handshake with iothub AMQP port - OK
√ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - OK
× host can connect to and perform TLS handshake with iothub MQTT port - Error
   Failed to do TLS Handshake, Connection Attempt Timed out in 70 Seconds

Configuration checks
--------------------
√ aziot-edged configuration is well-formed - OK
√ configuration up-to-date with config.toml - OK
√ container engine is installed and functional - OK
× configuration has correct URIs for daemon mgmt endpoint - Error
    Unable to find image 'mcr.microsoft.com/azureiotedge-diagnostics:1.4.10' locally
    docker: Error response from daemon: Get https://mcr.microsoft.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).
    See 'docker run --help'.
× aziot-edge package is up-to-date - Error
    Error while fetching latest versions of edge components: could not send HTTP request
× container time is close to host time - Error
    Could not query local time inside container
‼ DNS server - Warning
    Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub.
    Please see https://aka.ms/iotedge-prod-checklist-dns for best practices.
    You can ignore this warning if you are setting DNS server per module in the Edge deployment.
‼ production readiness: logs policy - Warning
    Container engine is not configured to rotate module logs which may cause it run out of disk space.
    Please see https://aka.ms/iotedge-prod-checklist-logs for best practices.
    You can ignore this warning if you are setting log policy per module in the Edge deployment.
× production readiness: Edge Agent's storage directory is persisted on the host filesystem - Error
    Could not check current state of edgeAgent container
× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error
    Could not check current state of edgeHub container
× Agent image is valid and can be pulled from upstream - Error
    Failed to get edge Agent image
√ proxy settings are consistent in aziot-edged, aziot-identityd, moby daemon and config.toml - OK

Connectivity checks
-------------------
× container on the default network can connect to upstream AMQP port - Error
    Container on the default network could not connect to <iot-hub hostname>:5671
× container on the default network can connect to upstream HTTPS / WebSockets port - Error
    Container on the default network could not connect to <iot-hub hostname>:443
× container on the IoT Edge module network can connect to upstream AMQP port - Error
    Container on the azure-iot-edge network could not connect to <iot-hub hostname>:5671
× container on the IoT Edge module network can connect to upstream HTTPS / WebSockets port - Error
    Container on the azure-iot-edge network could not connect to <iot-hub hostname>:443
21 check(s) succeeded.
3 check(s) raised warnings. Re-run with --verbose for more details.
12 check(s) raised errors. Re-run with --verbose for more details.
2 check(s) were skipped due to errors from other checks. Re-run with --verbose for more details.

Please help me resolve this issue as the iot-edge server cannot have Internet connectivity and only has site-to-site connectivity.