Skip to main content

Core Network Services Account Setup

Overview

The core-network-services AWS account hosts resources used by other Modernisation Platform accounts. Its networking resources tie the platform together, and allow it to communicate.

Resource Description
Egress VPCs (with Network Firewalls & NAT gateways) The Egress VPC is primarily used for egress traffic to the Internet and is composed of public/private subnets in up to three availability zones (AZs).
Inspection VPC (with Network Firewall) Inspection VPCs are used to route and inspect network traffic for security, compliance, or performance purposes.
Transit Gateway (RAM shares, peering to MOJ TGW) Used to connect multiple VPCs and AWS accounts.
Route53 zones and delegations DNS zones managed by AWS.

Steps

1. Account Creation

To initiate the account recreation process, go to the GitHub Actions page for the Modernisation Platform repository and trigger the new environment workflow. This workflow should detect that the account no longer exists and propose to recreate the account. As part of this process, it will also execute the baseline runs for the account.

2. Deploy Core Network Services Resources

This can be achieved by triggering core-network-services deployment workflow run, which can be found here. Alternatively, this can be done as manual deployment: - Navigate to the modernisation-platform repo and change to the core-network-services directory - Run terraform plan in the production workspace - Using admin credentials, execute terraform apply

3. Verify Resources

As the core network services account holds the networking for the platform together, there are more steps to follow.

Egress VPCs (with Network Firewalls & NAT gateways)

The Egress VPC is primarily used for egress traffic to the Internet and is composed of public/private subnets in up to three availability zones (AZs).

  1. Go to VPC -> Endpoints, you should expect live_data, non_live_data and external_inspection.
  2. NAT gateways, there should be multiple listed including live_data-public-eu-west and non_live_data-public all regions.

Inspection VPC (with Network Firewall)

  1. Connect to core-network-services.
  2. Click on VPC -> Firewalls.
  3. Check 3 firewalls exist.

Transit Gateway (RAM shares, peering to MOJ TGW)

  1. Connect to core-network-services.
  2. Got to VPC->Transit gateway->Transit gateway attachments.
  3. Check that all exists, you will see names like platforms-preproduction-attachment.

Route53 zones and delegations

You will require OPS Engineering to help create these, the steps can be followed here.

  1. Connect to core-network-services.
  2. Got to Route 53->DNS Management->Hosted Zones.
  3. Check that all exist, modernisation-platform.internal should exist.

4. Troubleshooting

The baselines job may need to be run multiple times and errors troubleshooted. To manually run baselines, click here.

Run core vpc * workflows will need to be run, they are located located here.

This account has never been rebuilt, although these steps should outline what is required, some parts may have been overlooked.

5. Notify customers

  • Inform our members that the account has been recreated
  • Liaise with owning teams to validate any rebuilds

References

This page was last reviewed on 9 October 2024. It needs to be reviewed again on 9 April 2025 by the page owner #modernisation-platform .
This page was set to be reviewed before 9 April 2025 by the page owner #modernisation-platform. This might mean the content is out of date.