Skip to main content

Adding a route to connect to the MOJ Transit Gateway

This document is a description of the current Cloud Platform attachment to the MoJ Transit Gateway. It also explains how to modify the relevant route table to route traffic from Cloud Platform to the MoJ Transit Gateway.

The scope of this guide is limited on purpose, it only covers the Cloud Platform responsibilities. The NVVS DevOps team is able to share the Transit Gateways with other AWS accounts.

Quick introduction

AWS Transit Gateways allow VPCs, from different accounts or regions, to be connected securely. Transit Gateways have their own route-table. Transit Gateways (TGW) also support connecting to VPNs, AWS Direct Connect and other Transit Gateways.

An important limitation: a TGW can only work with VPCs in the same region it is in. However, TGWs from different regions can be peered.

The MoJ Transit Gateway infrastructure is managed here : github repository

Note: The terms TGW-MoJ, pttp_tgw, MoJ Transit Gateway are used interchangeably in this guide and in the code for legacy reasons, but they are all referring to the same Transit Gateway.

Transit Gateway

The Cloud Platform VPC (live-1) is attached to TGW-MoJ (tgw-026162f1ba39ce704) which is shared from a different AWS account using (RAM - Resource Access Manager).

The vpc_attachement is done by creating the resource aws_ec2_transit_gateway_vpc_attachment in Cloud Platform account providing the transit_gateway_id (the one that is shared), vpc_id and the private subnet_ids of live-1 VPC. The NVVS DevOps team then approves the vpc attachement and adds the attachment from their side. In order to allow the traffic to flow, a new route needs to be added to VPC’s route-table for each target VPC.

Example: The Analytical Platform(AP) wants to access the Cloud Platform’s (CP) VPC.

  • Both are attached the the TGW
  • The CP route-table should contain a route with the AP VPC’s CIDR block as a destination, but with the TGW ID as a target.
  • The same needs to be done on the AP’s VPC, to route back to CP.

Making the change

All existing routes that are added to live-1 VPC are managed at the route.tf file in the transit-gateway-cloud-platform folder in the cloud-platform-infrastructure Github repository. Only an admin of the cloud-platform (moj-cp) is able to run that code.

Here is the snippet to add the VPC CIDR block to the route.tf :

pttp_tgw_destination_cidr_blocks = [
        "10.161.XX.X/22", # Example VPC
        ...
        ...
        ...
      ]

Note: Something similar needs to be done on the ‘other side’, terraform or not.

There is a task defined in the infrastructure-vpc-live-1 Concourse pipeline that will apply the new route(s) when merged with the main branch.

Adding routes from live-2 VPC to MoJ Transit Gateway

The Transit Gateway attachment from live-2 VPC to MoJ Transit Gateway has been provisioned, but there is no code provisioned to add routes. We decided not to add this for now as there are no requirements for any routing from live-2 VPC to the MoJ Transition Gateway. Also live-2 is planned for decommission. If there is a requirement for this, the add-live-2-tgw-routes branch shows the code that needs to be applied.

This page was last reviewed on 3 September 2024. It needs to be reviewed again on 3 March 2025 by the page owner #cloud-platform .
This page was set to be reviewed before 3 March 2025 by the page owner #cloud-platform. This might mean the content is out of date.