1. Home
  2. Documentation
  3. Modernisation Platform User Guide
  4. How VPCs access the internet

How VPCs access the internet

Our Networking Diagram shows a high level view of how shared VPCs are connected.

Our Networking Approach discusses and contains a detailed view of our shared VPCs.

This document discusses how these VPCs access the internet.

Traffic from the internet

Our shared VPCs all have public subnets. Your application should have AWS load balancers (or an equivalent) in those subnets to receive traffic from the internet, and act as a reverse proxy to your service on the Modernisation Platform.

Public subnets have permissive Network Access Control Lists (NACLS) allowing traffic in from the internet, and route tables attached with default routes to the internet via a VPC Internet Gateway.

Traffic to the internet

Shared VPCs

Our shared VPCs have private subnets and data subnets. These subnets have restrictive NACLS which allow HTTP and HTTPS traffic out to the internet, and high ports in from the internet. The route tables attached to the private and data subnets contain a default route to the internet via a Transit Gateway attachment.

Transit Gateway

When VPC traffic reaches the Modernisation Platform Transit Gateway it is compared against an associated route table. We maintain separate route tables for our live-data and non-live-data environments. Each of these route tables has a default route pointing to a VPC in our core-network-services account; we maintain separate VPCs for live-data environments and non-live-data environments.

Core-networking VPCs

Our core-network-services VPCs contain Network Firewall endpoints, NAT Gateways, and Internet Gateways.

Traffic enters from the Transit Gateway attachment, is routed through the Network Firewall where it is statefully inspected. HTTP traffic is permitted only where it matches a defined list of domains. Permitted traffic is then routed through a NAT gateway, and from there out to the internet via the Internet Gateway.

Core-network-services NAT Gateways - Outgoing Internet Addresses

The NAT Gateways referenced above have the following EIP (Elastic IP) addresses assigned. These are sometimes used by other networks to filter for traffic originating from the Modernisation Platform via the Transit Gateway and so are included here for reference:

Gateway Name EIP
live_data-public-eu-west-2a 13.41.38.176
live_data-public-eu-west-2b 3.8.81.175
live_data-public-eu-west-2c 3.11.197.133
non_live_data-public-eu-west-2a 13.43.9.198
non_live_data-public-eu-west-2b 13.42.163.245
non_live_data-public-eu-west-2c 18.132.208.127

The following cli command can be run against core-network-services to obtain this list:

aws ec2 describe-nat-gateways \
   --query 'NatGateways[*].{Name:Tags[?Key==`Name`]|[0].Value,GatewayId:NatGatewayId,ElasticIP:NatGatewayAddresses[0].PublicIp}' \
   --output json \
   | jq -r 'sort_by(.Name)[] | "\(.Name)\t\(.GatewayId)\t\(.ElasticIP)"' \
   | column -t -s $'\t'
Last reviewed: 25 November 2025Review status: ✓ Up to dateOwner: #modernisation-platformSource: View source on GitHub

Was this page useful?