Implement in-line firewall endpoints for scanning of egress traffic

[dms1981]

User Story

As a Modernisation Platform Engineer I want to pass traffic leaving the Modernisation Platform through our Network Firewall So that we can permit HTTP traffic only to preselected destinations

User Type(s)

Modernisation Platform Customer

Value

We previously discussed consolidating our egress VPCs in this issue: Consolidate Egress VPCs. However, after some discussion in the team it was felt that preserving our separation of traffic was of sufficient importance that we should look into an alternative way to scan our egress traffic.

This means that our approach needs to change to use in-line firewall endpoints in our egress VPCs. We can accommodate this by provisioning a firewall endpoint in each availability zone in the egress VPCs. We will route traffic bound for the internet from the transit gateway endpoint subnets via the new firewall endpoints. We will then route traffic bound for the internet from the firewall endpoint subnets via the existing NAT Gateways. We will then route traffic bound for the Modernisation Platform back from the NAT Gateway subnets via the new firewall endpoints, and then from the firewall endpoint subnets via the transit gateway.

Assumptions / Hypothesis / Questions / Unknowns

Definition of done

• [x] firewall endpoints provisioned in non_live egress VPC
• [x] firewall prepared to allow traffic out to HTTPS without further inspection
• [x] firewall prepared to allow traffic out to HTTP with FQDN inspection
• [x] routing changed to flow through firewall endpoints in non_live egress VPC
• [x] traffic tested successfully through firewall to HTTPS internet destination
• [x] traffic tested successfully through firewall to permitted HTTP internet destination
• [x] traffic tested unsuccessfully through firewall to non-permitted HTTP internet destination
• [x] firewall endpoints provisioned in live egress VPC
• [x] routing changed to flow through firewall endpoints in live egress VPC
• [x] diagrams updated
• [x] documentation updated
• [x] tests updated

Reference

• How to write good user stories
• core-networking terraform

[SimonPPledger]

@davidkelliott can we discuss how we do this - but, ideally, we bring it into next sprint

[dms1981]

The following PRs are relevant to this story: https://github.com/ministryofjustice/modernisation-platform/pull/3819 - creation of inspection VPC module https://github.com/ministryofjustice/modernisation-platform/pull/3834 - creation of new egress VPCs with inline inspection

https://github.com/ministryofjustice/modernisation-platform/pull/3839 - minor adjustments; move TGW attachment resource into VPC module https://github.com/ministryofjustice/modernisation-platform/pull/3841 - more minor fixes; firewall naming

https://github.com/ministryofjustice/modernisation-platform/pull/3848 - associate new egress VPCs with TGW route tables https://github.com/ministryofjustice/modernisation-platform/pull/3849 - route traffic to internet through new egress VPCs

[dms1981]

Testing traffic to internet destinations with HTTP will need to wait on the completion of a PR covering HTTP-to-internet access

[dms1981]

https://github.com/ministryofjustice/modernisation-platform/pull/3884 - new tests Still need to remove old tests, old VPCs, and update any documentation that's relevant

[dms1981]

Documentation has been updated

[dms1981]

3914 - removes old VPCs