ACE

The Azure Connected Environment (ACE) is an accreditable and supported Hyperscale Public Cloud environment available to MoD customers who want to migrate and modernise their applications.

It is suitable for workloads up to OFFICIAL-SENSITIVE (including all caveats and descriptors) and is hosted within Authority Zone 3 (AZ3).

There are multiple tenants in ACE, but at onboarding, the MODCloud Customer Engagement team will advise which tenant best suits a customer's use case:

• iACE sits within the iACE Tenant and is available in both Baseline and Enhanced Service Offerings
• ACE is MODNET-facing only which sits within the MODNET Tenant and is available in Enhanced Service Offering only

ACE Baseline Service Offering

MODCloud build an Azure subscription that has well-defined configuration and security boundaries in place and enforced. Boundaries and security layers are assessed against the Center for Internet Security Benchmarks.

Customers will be responsible for building out all the infrastructure for their application, and managing and delivering a service fully compliant to JSP 604. This will include providing their own protective monitoring, anti-virus, inbound and outbound network security, and user /permissions management. Role/user/group assignments are managed by MODCloud on behalf of the customer. This will give customers more autonomy to deploy and utilise Platform as a Service (PaaS) services and machine images that are not currently supported by MODCloud.

Customers can access their subscription via the Azure Portal or the Azure API.

Consumable Cloud Services

Customers can consume any of the Azure Cloud services available, but they will need to obtain appropriate accreditation to use them.

Provided Operating Systems (Golden Images)

MODCloud provides a library of endorsed, assessed and managed Golden Images. It is not mandated to use these Golden Images in Baseline Service Offering, but they are available for use. Customers wanting to use operating systems outside of the accredited list will need to obtain appropriate accreditation to use them.

Connectivity

iACE is Microsoft Azure services with end-user connectivity from the MoD Core Network (MCN) via the Boundary Protection Service (BPS). Traffic is currently limited to HTTP/S.

End users can access externally published websites via the internet and MODNET.

Developers will need to use internet-facing machines to access their subscriptions.

Access to administer the platform itself is not yet possible from MODNET and must be from an internet-facing machine that complies with the National Cyber Security Centre (NCSC) Cyber Essentials certification or equivalent (the Security Operating Procedures (SyOPs) provide more information).

ACE Enhanced Service Offering

Customers will receive an Azure subscription, for which MODCloud will retain the root credentials and a number of roles including an Administrator role. MODCloud will provide a Virtual Network (VNet) connected to the Core Security Services, including anti-virus and Security Information and Event Management (SIEM) systems.

MODCloud will also build out the public ingress routes, such as how admins and application users will securely access applications and services. Customers will then be responsible for deploying the private subnets, Network Security Groups (NSGs) and Virtual Machines. These will be based on the mandated Golden Images available within a customer's subscription.

Customers can access their subscription via the Azure Portal, Azure API or OpenVPN (iACE only).

Consumable Cloud Services

MODCloud have a selection of Azure Cloud services. However, the services available have been assessed and accredited for Enhanced Service Offering accounts as part of the service wrap.

Provided Operating Systems (Golden Images)

MODCloud provides a library of endorsed, assessed and managed Golden Images that are mandated for use in Enhanced Service Offering.

Connectivity

As there are multiple tenants in ACE, connectivity differs depending on the tenant.

iACE is Microsoft Azure with end-user connectivity from the MoD Core Network (MCN) via the Boundary Protection Service (BPS). Traffic is currently limited to HTTP/S.

End users can access externally published websites via the internet and MODNET.

Developers will need to use internet-facing machines to access their subscriptions.

Access to administer the platform itself is not yet possible from MODNET and must be from an internet-facing machine that complies with the National Cyber Security Centre (NCSC) Cyber Essentials certification or equivalent (the Security Operating Procedures (SyOPs) provide more information).

ACE is Microsoft Azure with end-user connectivity from the MCN via the BPS as standard. Traffic is currently limited to HTTP/S. There is an option to request connectivity via Express Route instead of BPS. Express Route is used to create private connections between Azure data centres and on-premises infrastructure via a dedicated private link. For MODCloud, this is from MODNET to MODCloud ACE via a dedicated list of ports and protocols. This is not provided by default and must be enabled via a Change Request.

End users can access externally published websites via the internet and MODNET as long as a Change Request for Express Route is approved and the connection setup.

Developers will need to use MODNET machines to access their subscriptions.

Access to administer the platform itself is not yet possible from the internet and must be from a MODNET machine that complies with the NCSC Cyber Essentials certification or equivalent (the SyOPs provide more information).

Express Route for iACE is currently being progressed, but will require an enhanced service offering.