I have had customers asking about this over the past few weeks so hopefully this will clarify things moving forward.
My team have conducted some tests and can see that traffic can flow unhindered between VMs on Assured and VMs on Elevated over their PSN connections without any reliance on external providers making changes.
The PSN has now been flattened by our providers: PSN-A and PSN-P have now merged into a flat PSN.
Point of note – this is not related to ‘End of GCF Services’, this is a completely separate piece of work.
“Is this the end of CDSZ Walled Garden?”
Whilst on the face of it, the merger appears to undermine the CDSZ function, the long and short of it is that in theory you could bypass the CDSZ Walled Garden by using a PSN connection and connect between Assured and Elevated, however this would throw up a few considerations
- The connection isn’t a short hop in the way that you would create a connection between two environments in eg Assured; in Assured the connection between two environments, even over an external network, would be within the UKCloud boundary, as traffic would go over our private links – with this connection between Assured and Elevated via the PSN, the traffic needs to leave UKCloud, go through the Service Provider gateways and then come back into UKCloud. This introduces multiple hops and, in our tests, we could see additional latency due to this. You would also need to think about any security implications regarding data in transit.
2. The PSN can only be used for specific functions, as approved by the PSN Authority by way of the different PSN Codes of Connection. If you wanted to use the PSN for this function it would have to be documented and approved by the PSN Authority before you can do it.
3. Many customers of Elevated do not have a PSN connection and will continue to need the functionality afforded by the CDSZ
So there we are – you can go round the CDSZ, but does warrant a serious think about the implications of doing so.
“PSN is now flattened – so what?”
Why is this important? This is paving the way for better collaboration between local government, blue light services and central government departments. This will ultimately improve the lives of UK citizens through more joined up services such as counter-terrorism initiatives and centralised intelligence for cross-county cooperation and provides plenty of opportunity for us to work together to provide these kinds of services.
“I don’t want my PSN-P services to be reachable from PSN-A – what do I do?”
According to GDS, “PSN-P providers may make PSN-P addresses unreachable to PSN-A network customers only on the instruction of the PSN team. The PSN team will maintain an exceptions list containing those unreachable PSN-P addresses.
If a PSN-P network customer wants its PSN-P addresses to be unreachable to PSN-A network customers, the PSN-P network customer must make a request for this to the PSN Team via the PSN team contact centre. If the request is approved, the PSN team will notify all PSN-P providers.
If 2 PSN-P network customers are on the same subnet, one of which wants to be on the exceptions list, then the PSN team will decide what action needs to be taken, and by who, to achieve the exception.”