I’m wary that a blog post might not make it to the top of my TODO list for quite a while, so here’s a summary of how Black Pear are using AWS, including links to all the relevant resources:
The design is relatively simple:
- Create a VPC on AWS (https://aws.amazon.com/vpc/) - this will be the Gateway VPC
- AWS DirectConnect (https://aws.amazon.com/directconnect/) is used to securely route traffic from N3/HSCN to the Gateway VPC on AWS. (The Gateway VPC is then effectively a little bubble of N3 running on AWS).
- Host proxy servers for both inbound and outbound traffic in the Gateway VPC. Choose your favourite software! (We run Ubuntu + haproxy/nginx/squid/postfix).
- Create a second VPC on AWS - this is the Private VPC and must not be routable from the internet.
- The Private VPC is used to host application servers.
- Finally, VPC peering (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html) is configured to route traffic between the Gateway and Private VPCs.
AWS have published a helpful set of guidance describing Cloud architectures for UK-OFFICIAL workloads:
https://aws.amazon.com/quickstart/architecture/accelerator-uk-official/. This includes a candidate architecture that can quickly be adapted to NHS requirements. You can try these out on any AWS account …
We use Redcentric to provide N3 connectivity for our production services on AWS (http://www.redcentricplc.com/services/networks/hscn-connectivity/hscn-public-cloud-connectivity/)
This is straightforward, but there are some pre-requisites for connecting to N3:
- Design documentation (the Logical Connection Architecture) is used to show that the connection will be safe, secure and comply with NHS requirements.
- The Information Governance Toolkit (https://www.igt.hscic.gov.uk/) is used to show that your organisation has a robust information governance framework in place.
Once the agreement and documentation were in place, the connection took less than a morning.
My top tips:
- Start the IGToolkit and Logical Connection Architecture early. You can then make design decisions that make it easy to meet the requirements.
- Use the Infrastructure as Code practice, for example AWS CloudFormation (https://aws.amazon.com/cloudformation/). Use this to build and deploy a development environment that matches the production environment exactly - including network configuration, firewall rules and virtual machine images.
- Remember that not all AWS services run in all regions (e.g. Kinesis Firehose) and some must be internet connected (e.g. ApiGateway). Check that you’ll be able to use the service when you deploy to production.
- Make friends with the NHS Digital DNS team - you may want their help to configure some non-standard records (e.g. a CNAME record on N3 DNS servers that points to a CNAME record on internet DNS servers that points to the CNAME record of a private load balancer on AWS DNS servers, that finally resolves to A records describing IP addresses in the Gateway VPC)