search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
680 stars 290 forks source link

Cross VPC access to services via AWS Endpoint services #875

Closed philhorrocks closed 12 months ago

philhorrocks commented 3 years ago

User Story

Transit Gateway currently does not support security group references to another VPC which attached to a separate VPC attachment. This is something that is being worked on by AWS but we have been told this is 12+ months away.

An example might be HMPPS requiring access to services in the LAA, both separate VPCs. You could allow this communication via the Transit gateway gut you would have to open up to the whole subnet CIDR on the incoming NACL to allow this communication to work. SGs would not work in this scenario.

A possible solution for this would be to bypass the TGW altogether and use the AWS private link backbone via an AWS endpoint service. An endpoint service would be created in the "Producer" VPC which would set up a load balancer and private DNS point to a service in a chosen subnet. The consumer VPC could then access these services via an associate VPC endpoint which is set up in the local VPC providing en ENI with private IP. Security groups can then be set up for the VPC endpoint making it secure and only allowing the appropriate resources access.

Reference

How to write good user stories

dms1981 commented 12 months ago

Re-reading this story, it reads like it's after a way to implement PrivateLink - or documentation on how to implement it. Given that Amazon maintain documentation on PrivateLink, and no internal customer has asked for this in over two years, I think we can close this one.