I’m Jim Boyle, HMRC’s Head of Network Architecture. Following Kristian’s blog post on HMRC’s IT Strategy I want to tell you about how we make sure our Network Strategy supports our IT vision. It’s a bit of a technical subject so unless you have an interest in network infrastructure and know your ASN from your VRF, this one may not be for you.
Right now HMRC staff work at over 100 locations. Our IT services operate from a small number of secure data centres, provided by strategic partners, which have direct connections to the Public Services Network (PSN). When a colleague needs to access any internal or internet based service, the network traffic has to trombone via the data centres to the particular service as shown in the diagram below
However, as we move to more cloud-based services and provide our staff with rich real-time applications for greater levels of collaboration and to support new and flexible ways of working (in our IT Strategy), we are also changing our approach to network connectivity. This will alleviate the need for network traffic to trombone via dedicated data centres to connect to private cloud or internet based services.
Our new connectivity model has three parts
- Office Local Area Network
- Core Network connectivity
- Office Network connectivity
We want to be able to achieve network independence from data centre and office physical locations.
Office Local Area Network will provide simplicity of support, scalability and deliver greater flexibility for staff to work anywhere within our buildings via a secure, integrated and collapsed wired and wireless LAN based infrastructure.
Core Network Connectivity will provide a significantly improved internet experience and deliver improved performance to cloud based services via private or public peering arrangements as well as internet transit capability. This will also provide a Software as a Service Web Gateway capability as well as “always on” protection against Distributed Denial of Service attacks for all inbound traffic.
To save money we’ll revert back to a PSN gateway model, which several other departments adopted, rather than our current direct PSN connect model from every location.
We will provide a VPN gateway hub to handle interconnections between various cloud providers (maximum of 5) although office to cloud provider will be connected by a direct IP Sec VPN tunnel.
Office Network Connectivity will allow us to reduce reliance on the PSN and provide a separate circuit at our office locations supporting both a private VRF and publically addressable VRF to support a local office internet breakout. Although we’ll still have some office PSN connectivity for access to particular applications this will be constrained to a small number of locations.
When we complete the final network transformation the network will look something like this
Our journey so far
- We have a /18 IPv4 address space and an ASN registered with RIPE which by default means we are an Internet Services Provider, although our immediate plans are being constrained to support HMRC services only
- Our Executive Committee will shortly consider a proposal to join the London Internet Exchange (LINX)
- We have ordered two 10 Gbps between our primary data centres and the main LINX Points of Presence
- We are undertaking a LAN procurement exercise to refresh the local office LAN in around of 50 of our largest offices, which will include a local office internet breakout
It’s all about supporting our staff in adopting new ways of working with cloud-based services, real time collaboration using video, audio and document sharing. It also means as more of our customers use our digital services, our systems can support them as well as protect our services from the constantly changing online threats.
We’ve made great progress recently but there’s still a lot more to do. I’ll post more on this blog throughout the year to keep you up to date, so stay tuned if this is an area of interest.