Investigate isolated subnets with smaller CIDR ranges

[davidkelliott]

User Story

We currently offer the option of isolated networking, this is networking which uses our allocated IP ranges, but is not connected to anything, no external access, no internal wider MOJ access, no access to MP TGW.

The purpose of this option is for teams who wish to securely store data with no network access.

Originally these were planned to be done with /21 CIDR blocks, but these are in limited supply and excessive for one application, so it would be better if we can use smaller blocks.

We have never actually created one of these networks before, so we need to do the following:

• Check if we can still create these networks and RAM share with the account.
• Check if we can use smaller CIDR ranges for them.
• Document how to create them

Value / Purpose

Enable more manageable isolated subnets and ensure we know how to create them.

Useful Contacts

David Elliott, Richard Baguley

Additional Information

This is required for a new data platform account

Definition of Done

• Check if we can still create these networks and RAM share with the account.
• Check if we can use smaller CIDR ranges for them.
• Document how to create them

[dms1981]

First pass at attempting this in Sprinkler / garden-sandbox VPC: https://github.com/ministryofjustice/modernisation-platform/compare/user/dms1981/test-extra-subnets

[dms1981]

As a brief roundup of what I saw on the 9th, adding new ranges isn't difficult, but it will result in an additional VPC CIDR being added to the relevant VPC. This additional CIDR will then be propagated into our AWS Transit Gateway route tables, so there is a risk that this could overlap with an existing range elsewhere in the MOJ internal network.
To add a supplementary range, we'd amend the existing environments-networks/$business_unit-$environment.json file to add a new subnet_set: like so:

{
  "cidr": {
    "subnet_sets": {
      "general": { ... },
      "my-additional-cidr": {
        "cidr": "10.0.0.0/22",
        "accounts": ["..."]
      }
    }
  },
  "options": {
    ...
  }
}

There is a minimum size that we can use for an additional CIDR, which is a factor of how the cidrsubnets() function is used to divide a cidr into public/private/data subnets. A /24 CIDR is the minimum size we could use for an additional CIDR block.

[dms1981]

OK! Having looked into this, it's the isolated subnet requirement that's an issue. We can create supplemental subnets in an additional CIDR range, but these will still be connected to the MP Transit Gateway, and still have access to the internet through the VPC internet gateway.

That leaves two immediate options:

1. Extend the modernisation-platform-terraform-member-vpc to optionally create an isolated VPC.
2. Provision isolated VPCs on request through the moderisation-platform-environments repository.

I think that extending the modernisation-platform-terraform-member-vpc is the more challenging option. It would reduce options for customisation by consumers, but if done right would be easy to provision. Creating isolated VPCs on request is attractive and has a lower bar of entry, but will lead to multiple different configurations and management methods.

I'll also comment that if the VPC is to be permanently isolated - EG. Without any Transit Gateway attachment - then the address range isn't important as traffic will never be routed to or from other private networks. We could provision the same /16 address range to all our isolated VPCs with no impact.

[dms1981]

We currently hold documentation on additional subnet sets here:

• https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/creating-vpcs.html#subnet-sets
• https://user-guide.modernisation-platform.service.justice.gov.uk/concepts/networking/subnet-allocation.html#subnet-allocation

[dms1981]

After discussing this with @davidkelliott we're going to create the isolated VPC as a separate resource in the relevant modernisation-platform-environments/terraform/environments directory.