Skip to main content

How VPCs access the internet

Our Networking Diagram shows a high level view of how shared VPCs are connected.

Our Networking Approach discusses and contains a detailed view of our shared VPCs.

This document discusses how these VPCs access the internet.

Traffic from the internet

Our shared VPCs all have public subnets. Your application should have AWS load balancers (or an equivalent) in those subnets to receive traffic from the internet, and act as a reverse proxy to your service on the Modernisation Platform.

Public subnets have permissive Network Access Control Lists (NACLS) allowing traffic in from the internet, and route tables attached with default routes to the internet via a VPC Internet Gateway.

Traffic to the internet

Shared VPCs

Our shared VPCs have private subnets and data subnets. These subnets have restrictive NACLS which allow HTTP and HTTPS traffic out to the internet, and high ports in from the internet. The route tables attached to the private and data subnets contain a default route to the internet via a Transit Gateway attachment.

Transit Gateway

When VPC traffic reaches the Modernisation Platform Transit Gateway it is compared against an associated route table. We maintain separate route tables for our live-data and non-live-data environments. Each of these route tables has a default route pointing to a VPC in our core-network-services account; we maintain separate VPCs for live-data environments and non-live-data environments.

Core-networking VPCs

Our core-network-services VPCs contain Network Firewall endpoints, NAT Gateways, and Internet Gateways.

Traffic enters from the Transit Gateway attachment, is routed through the Network Firewall where it is statefully inspected. HTTP traffic is permitted only where it matches a defined list of domains. Permitted traffic is then routed through a NAT gateway, and from there out to the internet via the Internet Gateway.

This page was last reviewed on 22 November 2024. It needs to be reviewed again on 22 May 2025 by the page owner #modernisation-platform .
This page was set to be reviewed before 22 May 2025 by the page owner #modernisation-platform. This might mean the content is out of date.