I-ALiRT - vpn tunnel

[laspsandoval]

Items to provide to NOAA:

• IKE Gateway IPs (AWS auto-assigned tunnel endpoint IPs) (4 of these)
• EIP (already defined) and port number
• AWS default ASN

Items NOAA provides us:

# Retrieve the NOAA VPN pre-shared key from Secrets Manager.
# Store the PSK under the key "psk" in a secret named "noaa-vpn-psk"
# before deploying this stack.
noaa_vpn_psk = (
    secretsmanager.Secret.from_secret_name_v2(
        ialirt_stack, "NoaaVpnPsk", "noaa-vpn-psk"
    )
    .secret_value_from_json("psk")
    .unsafe_unwrap()
)

# Retrieve NOAA's border router IPs from SSM Parameter Store.
# Store these before deploying:
#   aws ssm put-parameter --name "/ialirt/noaa-vpn/wash-ip"
#   --value "<ip>" --type String
#   aws ssm put-parameter --name "/ialirt/noaa-vpn/denv-ip"
#   --value "<ip>" --type String
noaa_wash_ip = ssm.StringParameter.value_from_lookup(
    ialirt_stack, "/ialirt/noaa-vpn/wash-ip"
)
noaa_denv_ip = ssm.StringParameter.value_from_lookup(
    ialirt_stack, "/ialirt/noaa-vpn/denv-ip"
)

• NOAA5026's internal private IP

---

- Step 1: NOAA sends data

The packet has:

• Source IP: NOAA's internal private IP
• Destination IP: the I-ALiRT EIP

- Step 2: NOAA's border router encrypts the packet

The router has a rule: Traffic destined for the I-ALiRT EIP goes through the VPN tunnel

The router wraps the original packet in an encrypted IPSec envelope. The original packet is now sealed inside. The outer envelope has:

• Source IP: NOAA border router public IP (WASH) or (DENV)
• Destination IP: AWS VPN Gateway auto-assigned public IP

- Step 3: Travels across public internet

- Step 4: AWS VPN Gateway decrypts the packet

• Note: NOAA border router public IPs go into the CfnCustomerGateway, which is essentially AWS's record of "this is NOAA's router, trust it.

The AWS VPN Gateway receives the outer envelope and decrypts it using the pre-shared key (PSK stored in Secrets Manager under noaa-vpn-psk)

The outer envelope is discarded. The original inner packet is restored:

• Source IP: NOAA's private internal IP (TBD Wallops/Suitland address)
• Destination IP: the I-ALiRT EIP

The VPN Gateway hands the packet into VPC.

- Step 5: VPC route table directs the packet to Internet Gateway

- Step 6: Internet Gateway translates EIP to private IP

- Step 7: Container receives packet

---

Testing
Deployed a minimal version of the VPN infrastructure to a personal AWS account and verified the IPSec tunnel comes up successfully. Used an EC2 instance running strongSwan as a stand-in for NOAA's border
router, configured with the same IKEv2/AES-256/SHA2-256/DH group14 parameters specified in the NOAA N-Wave ICD. The AWS console confirmed IPSEC IS UP on Tunnel 1, validating that the crypto settings and CDK
construct are correct.

[laspsandoval]

I think we won't need this:

d) The following networks/prefixes requiring access to NOAA resources will be routed to NOAA N-Wave via static routing by LASP:
i) ###.###.##.#/26

if we use BGP

[ahotasu]

@laspsandoval This is a great fix for security purposes, but the system (LASP's IMAP? AWS infrastructure) still won't be covered by an SSP. Is Rachel going to add the AWS infrastructure to LASP's institutional SSP?

[Copilot]

Pull request overview

Adds I-ALiRT Site-to-Site VPN infrastructure for NOAA N-Wave connectivity and wires it into the SDS CDK deployment.

Changes:

• Adds a Virtual Private Gateway and public subnet route propagation.
• Adds a new I-ALiRT VPN construct for NOAA customer gateways and VPN connections.
• Retrieves VPN PSK/router IP configuration and adds a placeholder for NOAA ECS access rules.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
sds_data_manager/utils/stackbuilder.py	Retrieves NOAA VPN configuration and instantiates the VPN construct.
sds_data_manager/constructs/networking_construct.py	Adds VGW creation, VPC attachment, and route propagation.
sds_data_manager/constructs/ialirt_vpn_construct.py	Defines NOAA customer gateways, VPN connections, and tunnel crypto settings.
sds_data_manager/constructs/ialirt_processing_construct.py	Adds a TODO placeholder for NOAA security group ingress.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.