Adding a route to connect to a TGW
This document is a description of the current Cloud Platform & TGW setup. It also explain how to modify the relevant route table
The scope of this guide is limited on purpose, it only covers the Cloud Platform responsibilities. The NVVS DevOps team is able to share the Transit Gateways with other AWS accounts.
Quick introduction
AWS Transit Gateways allows VPCs, from different accounts or regions, to be connected securely. Transit Gateways have their own route-table. Transit Gateways (TGW) also support connecting to VPNs, AWS Direct Connect and other Transit Gateway
An important limitation: a TGW can only work with VPCs in the same region it is in. However, TGW from different regions can be peered.
The MoJ current Transit Gateway infrastructure is managed here : github repository
Transit Gateway
The Cloud Platform VPC (live-1) is attached to PTTP TGW (tgw-026162f1ba39ce704
) which is shared from a different AWS account using (RAM - Resource Access Manager).
The vpc_attachement is done by creating the resource aws_ec2_transit_gateway_vpc_attachment
in Cloud Platform account providing the transit_gateway_id (the one that is shared),
vpc_id and the private subnet_ids of live-1
VPC. The NVVS DevOps team then approves the vpc attachement and adds the attachment from their side.
In order to allow the traffic to flow, a new route need to be added to VPC’s route-table for each target VPC.
Example: The Analytical Platform(AP) wants to access the Cloud Platform (CP) VPC.
- Both are attached the the TGW
- The CP route-table should contain a route with the AP VPC’s CIDR block as a destination, but with the TGW ID as a target.
- The same needs to be done on the AP VPC, to route back to CP.
Making the change
All existing routes that are added to live-1 VPC are managed in the github repository, in the route.tf
file of the transit-gateway-cloud-platform folder.
Only an admin of the cloud-platform (moj-cp
) is able to run that code.
Here is the snippet to add the VPC CIDR block to the route.tf :
pttp_tgw_destination_cidr_blocks = [
"10.161.XX.X/22", # Example VPC
...
...
...
]
Note: Something similar need to be done on the ‘other side’, terraform or not.
Adding live-2 VPC to PTTP TGW
To add live-2 VPC to Transit gateway, below steps needs to be done:
- Create the resource aws_ec2_transit_gateway_vpc_attachment
from Cloud-Platform account to attach the live-2 VPC to the Transit Gateway - Done
- Contact the NVVS DevOps team to add a attachment from their side and activate it - Done
- Add target VPC CIDRs to live-2 VPC Routes mentioned in the branch https://github.com/ministryofjustice/transit-gateways/tree/add-live-2-routes
- Seperate CIDR blocks list is needed for live-1 and live-2 so services in live-1
VPC can access services in live-2
Moving away from Cloud Platform Transit Gateway account
With the current setup, the PTTP TGW is shared with Cloud Platform account. Cloud Platform Transit Gateway account only holds the terraform state in s3 bucket for eu-west-2 region.
- Create s3 bucket in CP account, move the state file from transit-gateway account and link the new s3 bucket in the repository
- Move the code from transit-gateway-cloud-platform folder repo to cloud-platform-infrastructure or similar where CP can have manage with only CP account permissions
- Create a concourse pipeline to apply the transit-gateway code changes to CP account
- Find a way to test the connection when a new route is added to any of the VPC