Internal endpoints for applications in connected VPCs

[oliverweighell]

Service name

laa-crime-means-assessment (also LAA in general)

Service environment

dev, staging, uat, prod

Impact on the service

• Securing users data
• Ability to meet LAA architectural requirements

Problem description

We would like to create an internal endpoint for applications in the LAA zone to call CMA.

Context:

• CMA is called by MAAT, an application running in the LAA landing zone. The LAA zone is a separate VPC but is connected to Cloud Platform via Transit Gateway - routes and attachments exist for two-way connectivity between the two VPCs.
• The data transferred between MAAT and CMA is sensitive and includes PII. For interactions of this nature within the LAA VPC, we would go internally rather than over the internet. Given the Transit Gateway exists, we would like to treat interactions between LAA zone and Cloud Platform with the same level of privacy/security.
• Our understanding is that access into Cloud Platform is via ingress only, with the only existing options being public controllers (modsec or not). From initial discussions with Cloud Platform engineers, one suggestion was to explore the possibility of adding a private ingress controller option.

Contact person

Oli Weighell, [email protected] Ahilan Santhanlingam, [email protected]

[razvan-moj]

Quick note - the needed routing is already done in https://github.com/ministryofjustice/transit-gateways/blob/master/terraform/transit-gateway/tgw-routes.tf#L135

[AntonyBishop]

Hi @oliverweighell. Is this story still required?