I-ALiRT - IPSec VPN Relay (Draft)

[laspsandoval]

Change Summary

Overview

Added:

• Site-to-Site VPN - NOAA (external)-> SMCE VPC. How NOAA's traffic enters AWS.
• NAT Gateway - SMCE VPC → SDS EIP. After VPN termination; the NAT Gateway rewrites the source to a stable EIP, and the SDS Internet Gateway translates the destination EIP to the container's private IP.

File changes

• stackbuilder.py
  • Created build_smce_relay : provisions a VPN tunnel to NOAA network and a NAT Gateway in the SMCE VPC, allowing NOAA telemetry to flow from NOAA → SMCE (via IPSec VPN) → SDS EIP (via NAT Gateway over public internet), where the SDS Internet Gateway delivers it to the I-ALiRT container.
  • Add route propagation (maybe?)
• cdk.json
  • Add account and region info for smce
• app.py
  • Add account deployment info
• ialirt_processing_construct.py
  • Opens the ECS security group to the SMCE NAT Gateway EIP on TCP port 7565, allowing inbound NOAA telemetry.
• ialirt_vpn_construct.py
  • Customer Gateway - registers NOAA's border router (IP + ASN) in AWS
  • VPN Connection - creates the IPSec tunnel between the AWS Virtual Private Gateway and NOAA's border router
  • Two tunnels per connection - AWS automatically provisions two tunnels for redundancy
  • This results in two VPN connections (WASH + DENV) with BGP routing (automates routing tables)

Testing

TODO

Notes

1. Populate SSM parameters in the SMCE account (before deployment):
   /ialirt/noaa-vpn/wash-ip
   /ialirt/noaa-vpn/denv-ip

   Populate Secrets Manager in the SMCE account (before deployment):
   /ialirt/noaa/noaa-vpn-psk

   Populate Secrets Manager in the SMCE account (before deployment):
   /ialirt/noaa/noaa-vpn-psk

2. Create the NAT Gateway EIP placeholder in the SDS account (before deployment):
   aws ssm put-parameter --name /ialirt/smce/nat-gw-eip --value "" --type String

3. Deploy SMCE stack:
   cdk deploy SmceNetworkingStack --context account_name=smce

4. Retrieve the NAT Gateway EIP from the AWS console:
   VPC → NAT Gateways → select the SMCE NAT Gateway → Elastic IP address

   Store it in the SDS account:
   aws ssm put-parameter --name /ialirt/smce/nat-gw-eip --value "" --type String --overwrite

   One important note: value_from_lookup caches the result in cdk.context.json. After you update the SSM parameter from "" to the real EIP, you'll need to clear the cached value before redeploying so CDK picks up the new value.

5. Deploy IalirtStack:
   cdk deploy IalirtStack --context account_name=dev

To give NOAA:

1. LASP IKE Gateway IPs (×2, WASH + DENV) — VPN tunnel endpoints, pulled from AWS after deploying the SMCE stack
2. LASP ASN
3. SDS EIP - destination IP NOAA sends traffic to
4. Port - TCP 7565

Flow

Step 1: NOAA sends data

• Source IP: NOAA's internal private IP (Wallops/Suitland)
• Destination IP: Private IP of I-ALiRT ECS host in SDS VPC (10.0.x.x) ← key change

Step 2: NOAA's border router encrypts the packet

• Router rule: traffic destined for SDS VPC CIDR (10.0.0.0/16) goes through the VPN tunnel
• Outer envelope: Source=NOAA border router public IP (WASH or DENV), Dest=LASP IKE Gateway (AWS VPN Gateway auto-assigned public IP)

Step 3: Travels across public internet (encrypted)

Step 4: AWS VPN Gateway (SMCE account) decrypts

• Outer envelope discarded, inner packet restored: Source=NOAA private IP, Dest=10.0.x.x
• Packet handed into SMCE VPC

Step 5: SMCE VPC route table directs to NAT Gateway

• Route: 10.0.0.0/16 → VPC peering connection

Step 6: SMCE NAT Gateway performs SNAT

• Rewrites source: NOAA CaTT private IP → SMCE NAT GW EIP
• Forwards packet to public internet: Source=SMCE NAT GW EIP, Dest=SDS EIP

Step 7: Travels across public internet

Step 8: SDS Internet Gateway performs DNAT

• Dest=SDS EIP → private IP of I-ALiRT ECS host

Step 9: Container receives packet

[Copilot]

Pull request overview

This PR introduces infrastructure for an I-ALiRT “SMCE relay” path by adding (1) a NOAA→SMCE Site-to-Site IPSec VPN entry point and (2) SMCE→SDS cross-account VPC peering/routing so NOAA telemetry can traverse AWS privately into the SDS environment.

Changes:

• Add a new SMCE deployment path (account_name=smce) that provisions a dedicated VPC (non-overlapping CIDR), a VGW attachment, NOAA customer gateways, and VPN connections.
• Add cross-account VPC peering from SMCE to SDS, plus SMCE-side subnet routes and an SDS-side accepter role for auto-acceptance.
• Open the I-ALiRT processing security group to allow traffic from the SMCE VPC CIDR on the required port.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
sds_data_manager/utils/stackbuilder.py	Adds SMCE relay stack builder, creates SDS-side peering accepter role, and wires new VPN/peering constructs.
sds_data_manager/constructs/networking_construct.py	Adds configurable VPC CIDR support to avoid overlap for peering.
sds_data_manager/constructs/ialirt_vpn_construct.py	New construct to define NOAA customer gateways and VPN connections with specified tunnel options.
sds_data_manager/constructs/ialirt_peering_construct.py	New construct to create SMCE→SDS VPC peering and add SMCE-side routing.
sds_data_manager/constructs/ialirt_processing_construct.py	Updates I-ALiRT ECS security group rules to allow traffic from SMCE VPC CIDR.
cdk.json	Adds SMCE context (region + SMCE account id).
app.py	Adds account_name=smce deployment mode and passes SMCE account id into SDS build.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.