GOV.UK and Virtual Private Networks (VPNs)
VPN between AWS and UKCloud for Licensify Civica payment status requests
There’s a VPN between AWS Production (only) and UKCloud Production which exists only as a workaround for routing certain requests from Licensify to Civica, one of Licensify’s payment gateways. This is undesirable and recorded as GOV.UK Tech Debt.
If this VPN is down:
- The check_uk_cloud_vpn_up alert will fire in Icinga.
- HTTP(S) requests from Licensify to Civica will originate from our AWS NAT gateways instead of UKCloud. This means the source IP address will fail to match Civica’s IP-based access control lists.
- Civica will start returning
403 Access Deniedinstead of
200 OKto Licensify and to the probe which triggers the vpn-down alert.
- Users who are paying for licence applications to certain licencing authorities will still be able to complete their application but the last step of their journey will display a message saying “We have received your application, but were unable to confirm payment with the authority.” (source)
- The page still gives the user a reference number for their transaction and asks the user to contact the licencing authority to confirm that they have received the payment.
- Payments will still be processed as normal. The only difference is that Licensify is unable to tell the user whether the payment went through or not.
- Only those licencing authorities which use Civica as their payment processor are affected. This is a small but significant minority.
- Licencing authorities who do not use Civica are not affected.
Troubleshooting steps (aim is to switch off and on the VPN):
- Go to Production Skyscape portal, the credentials are in GOV.UK 2ndline Pass under:
ukcloud/portal. If you are out of the office or on GovWifi, you will need to connect to the GDS VPN first.
- Once you logged in, you have to log into the
Productionorganization by selecting:
VMWARE CLOUDand then
GOV.UK Production. You will be asked for the password again.
- In the
Productionorganization, go to the
GOV.UK Managementvirtual datacenter.
edgesin the left column to bring the list of edges.
- Click on the
GOV.UK Managementedges in the right main frame and
- In the pop-up window, click on
VPNin the menu bar and then
IPsec VPN Sites
- In the list of VPN sites, select
UKC Licensify to AWSVPN and click on the edit icon above.
- In the new pop-up window, turn the VPN off by toggling the
enableswitch and clicking
- The pop-up window will disappear and you need to click
save changesin put into effect the VPN being now disabled.
- Wait a few minutes and repeat step 7-9 to re-enable the VPN again.