Last updated: 22 Aug 2022
GOV.UK and Virtual Private Networks (VPNs)
VPN between AWS and UKCloud for Licensify Civica payment status requests
There’s a VPN between AWS Production (only) and UKCloud Production which exists only as a workaround for routing certain requests from Licensify to Civica, one of Licensify’s payment gateways. This is undesirable and recorded as GOV.UK Tech Debt.
If this VPN is down:
- The check_uk_cloud_vpn_up alert will fire in Icinga.
- HTTP(S) requests from Licensify to Civica will originate from our AWS NAT gateways instead of UKCloud. This means the source IP address will fail to match Civica’s IP-based access control lists.
- Civica will start returning
403 Access Deniedinstead of200 OKto Licensify and to the probe which triggers the vpn-down alert. - Users who are paying for licence applications to certain licencing authorities will still be able to complete their application but the last step of their journey will display a message saying “We have received your application, but were unable to confirm payment with the authority.” (source)
- The page still gives the user a reference number for their transaction and asks the user to contact the licencing authority to confirm that they have received the payment.
- Payments will still be processed as normal. The only difference is that Licensify is unable to tell the user whether the payment went through or not.
- Only those licencing authorities which use Civica as their payment processor are affected. This is a small but significant minority.
- Licencing authorities who do not use Civica are not affected.
Troubleshooting Steps
Troubleshooting steps (aim is to switch off and on the VPN):
- Go to Production Skyscape portal, the credentials are in GOV.UK 2ndline Pass under:
ukcloud/portal. If you are out of the office or on GovWifi, you will need to connect to the GDS VPN first. - Once you logged in, you have to log into the
Productionorganization by selecting:VMWARE CLOUDand thenGOV.UK Production. You will be asked for the password again. - In the
Productionorganization, go to theGOV.UK Managementvirtual datacenter. - Click
edgesin the left column to bring the list of edges. - Click on the
GOV.UK Managementedges in the right main frame andServicesabove it. - In the pop-up window, click on
VPNin the menu bar and thenIPsec VPN Sites - In the list of VPN sites, select
UKC Licensify to AWSVPN and click on the edit icon above. - In the new pop-up window, turn the VPN off by toggling the
enableswitch and clickingKEEP - The pop-up window will disappear and you need to click
save changesin put into effect the VPN being now disabled. - Wait a few minutes and repeat step 7-9 to re-enable the VPN again.