Skip to main content

Adding a route to connect to a TGW

This document is a description of the current Cloud Platform & TGW setup. It also explain how to modify the relevant route table

The scope of this guide is limited on purpose, it only covers the Cloud Platform responsibilities. The NVVS DevOps team is able to share the Transit Gateways with other AWS accounts.

Quick introduction

AWS Transit Gateways allows VPCs, from different accounts or regions, to be connected securely. Transit Gateways have their own route-table. Transit Gateways (TGW) also support connecting to VPNs, AWS Direct Connect and other Transit Gateway

An important limitation: a TGW can only work with VPCs in the same region it is in. However, TGW from different regions can be peered.

The MoJ current Transit Gateway infrastructure is managed here : github repository

Transit Gateway

The Cloud Platform VPC (live-1) is attached to PTTP TGW (tgw-026162f1ba39ce704) which is shared from a different AWS account using (RAM - Resource Access Manager).

The vpc_attachement is done by creating the resource aws_ec2_transit_gateway_vpc_attachment in Cloud Platform account providing the transit_gateway_id (the one that is shared), vpc_id and the private subnet_ids of live-1 VPC. The NVVS DevOps team then approves the vpc attachement and adds the attachment from their side. In order to allow the traffic to flow, a new route need to be added to VPC’s route-table for each target VPC.

Example: The Analytical Platform(AP) wants to access the Cloud Platform (CP) VPC.

  • Both are attached the the TGW
  • The CP route-table should contain a route with the AP VPC’s CIDR block as a destination, but with the TGW ID as a target.
  • The same needs to be done on the AP VPC, to route back to CP.

Making the change

All existing routes that are added to live-1 VPC are managed in the github repository, in the route.tf file of the transit-gateway-cloud-platform folder. Only an admin of the cloud-platform (moj-cp) is able to run that code.

Here is the snippet to add the VPC CIDR block to the route.tf :

pttp_tgw_destination_cidr_blocks = [
        "10.161.XX.X/22", # Example VPC
        ...
        ...
        ...
      ]

Note: Something similar need to be done on the ‘other side’, terraform or not.

Adding live-2 VPC to PTTP TGW

To add live-2 VPC to Transit gateway, below steps needs to be done: - Create the resource aws_ec2_transit_gateway_vpc_attachment from Cloud-Platform account to attach the live-2 VPC to the Transit Gateway - Done - Contact the NVVS DevOps team to add a attachment from their side and activate it - Done - Add target VPC CIDRs to live-2 VPC Routes mentioned in the branch https://github.com/ministryofjustice/transit-gateways/tree/add-live-2-routes - Seperate CIDR blocks list is needed for live-1 and live-2 so services in live-1 VPC can access services in live-2

Moving away from Cloud Platform Transit Gateway account

With the current setup, the PTTP TGW is shared with Cloud Platform account. Cloud Platform Transit Gateway account only holds the terraform state in s3 bucket for eu-west-2 region.

  • Create s3 bucket in CP account, move the state file from transit-gateway account and link the new s3 bucket in the repository
  • Move the code from transit-gateway-cloud-platform folder repo to cloud-platform-infrastructure or similar where CP can have manage with only CP account permissions
  • Create a concourse pipeline to apply the transit-gateway code changes to CP account
  • Find a way to test the connection when a new route is added to any of the VPC
This page was last reviewed on 15 December 2022. It needs to be reviewed again on 15 June 2023 by the page owner #cloud-platform .
This page was set to be reviewed before 15 June 2023 by the page owner #cloud-platform. This might mean the content is out of date.