GOV.UK and Virtual Private Networks (VPNs)
GOV.UK uses several VPNs to connect environments. This page explains what they are and what happens if they stop working.
VPN between live organisation and disaster recovery organisation
There’s a VPN in each Carrenza environment (currently staging and production) which connects the live organisation to the disaster recovery organisation. It’s used for monitoring the disaster recovery machines and for syncing data to them. The VPNs are managed by Carrenza.
If it goes down, these things will happen:
- The machines on the disaster recovery side of the connection will appear as unreachable hosts in GOV.UK monitoring
- Data replication will pause
VPN between live organisation and Licensing
Licensing is hosted in UKCloud. There’s a VPN in each environment which connects it to the live (Carrenza) organisation. The VPN is managed by Carrenza and UKCloud.
If it goes down, these things will happen:
- The machines on the disaster recovery (UKCloud) side of the connection will appear as unreachable hosts in GOV.UK monitoring
Applying for a licence should remain available because the connection between GOV.UK (the router and content store) and the Licensify organisation is made over the internet rather than over the VPN.
VPN between live organisation in Carrenza and AWS during AWS migration
During the staged migration of the GOV.UK from Carrenza to AWS, there is a VPN tunnel to connect the 2 private clouds so that migrated and un-migrated services can still access each other during the migration.
If the VPN goes down, these things will happen:
the ping probes between certain virtual machines in AWS and Carrenza will fail and these will appear in the Icinga dashboard of GOV.UK
services which makes use of the VPN will fail and the relevant alerts will appear in Icinga
Troubleshooting Steps
Check that the VPN is
UPin the AWS Console by:- log in into the AWS console and assume your role for the given GOV.UK environment
- go to the
VPCservice dashboard, as pictured in Figure 1.0
Figure 1.0: VPC dashboard in AWS showing the VPN site-to-site status. - scroll on the left pane of the dashboard and click
Site-to-Site VPN Connectionsas shown in step 1 in Figure 1.0 - select the
Staging AWSVPN connection as shown in step 2 in Figure 1.0 - select the tab
Tunnel Detailsas shown in step 3 in Figure 1.0 - check the status of the VPN tunnel, in the normal scenario, only one
tunnel will be
UPas shown in step 4 in Figure 1.0. The other tunnel isDOWNby default.
If all tunnels are down this means there is a VPN issue and you may have to swap to the secondary VPN tunnel.
Switching to the secondary VPN tunnel:
- log in the Carrenza vCloud interface as described here
- click on the “Administration” button on the interface as shown in step 1
in Figure 2.0
Figure 2.0: Carrenza vCloud interface showing the vEdge gateways list - select the
GOV.UK Managementvirtual data centre and the data centre should appear as shown in step 2 in Figure 2.0 - select the
Edge Gatewaystab as shown in step 3 in Figure 2.0 - right-click the only edge gateway in the list as shown in step 4 in Figure
2.0 and select
Edge Gateway Service.... A new pop-up window will appear as shown in Figure 2.1.
- select the
enabled(shown by a green tick in the enabled column) AWS VPN as shown in step 1 in Figure 2.1. Make a note of it so you remember which VPN you are going to disable. Do not select the UKCloud VPN - click on the
editbutton as shown in step 2 in Figure 2.1. A new pop-up window will appear where you canunchecktheEnable this VPN configurationoption so that this VPN is disabled. Finally selectokto return to the previous pop-up window. - in the list of VPN connections, select the second AWS VPN tunnel and click
editas in step 2 in Figure 2.1 and enable the VPN configuration in the new pop-up window. - finally click on
okas shown in step 3 in Figure 2.1. - go to the AWS console and check if the other VPN tunnel is now
UPand the previously active VPN tunnel isDOWN.
In addition, check that the Icinga ping alerts across the Carrenza-AWS VPN has now been cleared.
