Mercury Data Extraction Environment

[carrb-moj]

Environment details

Mercury Data Extraction

Temporary environment to facilitate date extraction from the Mercury application (hosted in Azure) to the replacement application (Manage Intelligence) hosted in the Cloud Platform

DPS-SOCT-TECH

Environments

Environment	Access level
[x] Development	[ ] view-only [x] developer [ ] sandbox
[ ] Test	[ ] view-only [ ] developer
[ ] Preproduction	[ ] view-only [ ] developer
[x] Production	[ ] view-only [x] developer

Tags

tag	value
application	manage-intelligence
business-unit	HMPPS
infrastructure-support	hmpps-ims@digital.justice.gov.uk
owner	dps

Networking options

Subnet sets

• [ ] General - this application will use the same subnet as other applications in your business unit
• [x] Isolated - this application has highly sensitive data which must have its own isolated subnet with no network connectivity

Firewall rules

"gp_to_read_ims_extraction_data": {"
  "action": "PASS",
  "source_ip": "<global protect IPs>",
  "destination_ip": "<new subnets>",
  "destination_port": "443",
  "protocol": "TCP"
},

"mercury_to_upload_ims_extraction_data": {"
  "action": "PASS",
  "source_ip": "mercury azure IPs",
  "destination_ip": "<new subnets>",
  "destination_port": "443",
  "protocol": "TCP"
},

How do users connect to the application?

• [ ] Over the public internet
• [ ] With a purple cabled device (please give details)
• [x] With a MoJ Official device

Connectivity to other applications or external parties

The Mercury application, which is hosted on VMs within Azure needs to be able to copy files to an S3 bucket in this environment.

Additional features

• [ ] Additional VPC Endpoints
• [ ] Extended DNS Zones
• [ ] Other - please specify

Other information

Definition of done

• [ ] account created
• [ ] customer informed
• [ ] Azure identity can be granted access to this AWS environment

[seanprivett]

@seanprivett can they just use an S3 bucket in our long term storage account

[SteveLinden]

Accounts will be created soon. The IP addresses I have been given are as per an email@ " Ok, so for the first rule I believe Brian is wanting to be able to access the environment on port 443 from an MoJ Digital Macbook connected to Global protect. To be honest, I think this is unnecessary as he should be able to access any EC2 instance stood up in the environment via SSM. I would skip this for now and I'll check with Brian when he is back.

"gp_to_read_ims_extraction_data": {"

"action": "PASS",

"source_ip": "",

"destination_ip": "",

"destination_port": "443",

"protocol": "TCP"

},

If you think the rule might make sense instead of SSM then the two VPN ranges are: (81.134.202.29/32 - mojvpn and 35.176.93.186/32 - global-protect)

For the second rule:

"mercury_to_upload_ims_extraction_data": {"

"action": "PASS",

"source_ip": "mercury azure IPs",

"destination_ip": "",

"destination_port": "443",

"protocol": "TCP"

},

The team needs connectivity between the new environment on the mod-platform and the azure Mercury subnets on the Fix and Go Azure environment. The two Azure subnets are:

10.40.54.0/24 - NOMS-Live/PP-Mercury 10.40.55.0/24 - NOMS-Live/PD-Mercury "

[SteveLinden]

I will look at these once the environments have been created

[SteveLinden]

Environments created. The names are slightly different to those listed above as I checked and this was the name provided to me. They may not be long lasting so this may not be an issue.

hmpps-intelligence-management-development hmpps-intelligence-management-production

[SteveLinden]

Code amended and pushed with the firewall changes.

[SteveLinden]

The IP addresses are already covered in production (a /16 one) so waiting to confirm if this is needed in development. If it is some additional work will be needed to do this. Will know more on Monday next week.

In the meantime the original pull request has been removed.

[SteveLinden]

Currently I have had no response so I will close this.