Site-to-Site VPN

Scaleway Site-to-Site VPN connects your infrastructure (on-premise, in a private cloud, or in another public cloud) to your Scaleway VPC with IPsec.

Site-to-Site VPN establishes a private & encrypted tunnel over the public internet using IPsec. It allows your remote infrastructure to securely reach resources hosted in your Scaleway Private Networks without requiring dedicated physical links. This managed solution ensures confidentiality and integrity of through traffic, with a deployment that is simple and cost-effective, even across geographically distributed infrastructure.

You can establish one or multiple VPN tunnels depending on your needs, and take advantage of dynamic routing with BGP to ensure high availability and flexibility across your infrastructure.

Once connection is established with your VPC, Site-to-Site VPN allows you to control BGP route propagation: you can fine-tune which IPv4 or IPv6 prefixes are allowed to flow.

Concepts

VPN Gateway

A VPN gateway is a managed resource that serves IPsec tunnels between your external infrastructure and your Scaleway VPC. Each connection within the gateway represents an IPsec tunnel established over the public internet. A single VPN gateway can host multiple connections.

Customer Gateway

A customer gateway is a logical resource that represents your on-premises network device. It acts as the endpoint of the IPsec tunnel established with the Scaleway VPN gateway. Each customer gateway can be configured with one public IPv4 address, one public IPv6 address, and the ASN of the BGP router used to establish the BGP session over the IPsec tunnel.

This resource is required to define the remote side of the VPN tunnel. Its information will be used during the setup of the connection.

Connection

A connection represents the bridge between your VPN gateway and your customer gateway. One connection can support up to two IPsec tunnels: one over IPv4 and one over IPv6. This allows for a highly available tunnel configuration, provided that both the VPN gateway and the customer gateway have configured public IP addresses through Scaleway resources, using the correct IP version on both ends.

Quickstart

1. Configure your environment variables.

   Note

   This is an optional step that seeks to simplify your usage of the Site-to-Site VPN API.

   Code
   export SCW_SECRET_KEY="<API secret key>"
   export SCW_DEFAULT_REGION="<Scaleway default region>"
   export SCW_PROJECT_ID="<Scaleway Project ID>"

2. Choose a VPN gateway type: VPN gateways come in different shapes, sizes, and pricing. When you create your VPN gateway, you need to specify the required gateway type in the request. Use the following call to get a list of available VPN gateway offer types and their details:

   Code
   curl -X GET \
       -H "X-Auth-Token: $SCW_SECRET_KEY" \
       -H "Content-Type: application/json" \
       "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateway-types"

3. Create a VPN gateway: run the following command to create a VPN Gateway. You can customize the details in the payload to your needs, using the table below to help.

   Code
   curl -X POST \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     -H "Content-Type: application/json" \
     "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateways" \
     -d '{
       "project_id": "'"$SCW_PROJECT_ID"'",
       "name": "My New Gateway",
       "tags": ["test", "another tag"],
       "gateway_type": "VGW-S",
       "private_network_id": "00cfd222-2402-4598-9438-b12b995e9e80"
     }'

   Parameter	Description	Valid values OR Example
   project_id	ID of project	any valid project UUID
   name	Name for VPN Gateway	desired name for VPN Gateway
   tags	Tags for VPN Gateway	a list of tags
   gateway_type	Offer type for VPN Gateway	any valid offer type string, e.g. VGW-S
   private_network_id	ID of a Private Network (cannot be detach later)	any valid private network UUID

4. Get a list of your VPN gateways: run the following command to get a list of all the VPN gateways in your account, with their details:

   Code
   curl -X GET \
     -H "Content-Type: application/json" \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateways"

5. Create a customer gateway: run the following command to create a customer gateway. You can customize the details in the payload to your needs, using the table below to help.

   Code
   curl -X POST \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     -H "Content-Type: application/json" \
     "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/customer-gateways" \
     -d '{
       "project_id": "'"$SCW_PROJECT_ID"'",
       "name": "My Device",
       "tags": ["test", "another tag"],
       "ipv4_public": "51.158.0.1",
       "asn": "11111"
     }'

   Parameter	Description	Valid values OR Example
   project_id	ID of project	any valid project UUID
   name	Name for Customer Gateway	desired name for Connection
   tags	Tags for Customer Gateway	a list of tags
   ipv4_public	Public IPv4 of Customer Gateway	any valid public ipv4 ip
   asn	BGP ASN of Customer Gateway	any valid asn except reserved scw ASN 12876

6. Create a routing policy: A routing policy is required for each traffic type (IPv4 and/or IPv6) to be supported over the connection.

   Code
   curl -X POST \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     -H "Content-Type: application/json" \
     "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/routing-policies" \
     -d '{
       "project_id": "'"$SCW_PROJECT_ID"'",
       "name": "my-rp-v4",
       "tags": ["test", "another tag"],
       "is_ipv6": false,
       "prefix_filter_in": [
         "10.0.0.0/8"
       ],
       "prefix_filter_out": [
         "172.16.12.0/24"
       ]
     }'

   Parameter	Description	Valid values OR Example
   project_id	ID of Project	any valid project UUID
   name	Name for routing policy	desired name for Connection
   tags	Tags for routing policy	a list of tags
   is_ipv6	Whether routing policy should be IPv6 or IPv4	true or false
   prefix_filter_in	IP prefixes to accept from the customer gateway (ranges of route announcements to accept)	a list of IP subnets
   prefix_filter_out	IP prefixes to advertise to the customer gateway (ranges of routes to advertise)	a list of IP subnets

7. Create a connection between a VPN gateway and a customer gateway: When your VPN gateway has been provisioned and has active status, you must create a connection.

   Code
   curl -X POST \
     -H "Content-Type: application/json" \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/connections" \
     -d '{
       "project_id": "'"$SCW_PROJECT_ID"'",
       "name": "My New Connection",
       "tags": ["test", "another tag"],
       "vpn_gateway_id": "ec5b8281-0c4f-49ea-a8fd-bd37554f5896",
       "customer_gateway_id": "beba6285-b502-4579-82d6-2815fb1ef1f1",
       "ikev2_ciphers": [{"encryption": "aes256", "integrity": "sha256", "dh_group": "curve25519"}],
       "esp_ciphers": [{"encryption": "aes256gcm", "dh_group": "curve25519"}],
       "bgp_config_ipv4": {
         "routing_policy_id": "3fe0612d-6d61-41a8-87f4-243900e07616"
       }
     }'

   Parameter	Description	Valid values OR Example
   project_id	ID of project	any valid project UUID
   name	Name for Connection	desired name for Connection
   tags	Tags for Connection	a list of tags
   vpn_gateway_id	ID of a VPN Gateway	any valid VPN Gateway UUID
   customer_gateway_id	ID of a Customer Gateway	any valid Customer Gateway UUID
   routing_policy_id	ID of a Routing Policy (same parameter available for bgp_config_ipv6)	any valid Routing Policy UUID

   Refer to the documentationOpen in new context for help with these steps if necessary.

8. Configure your customer gateway device: Configure your real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. It is the physical device represented by your customer gateway. To successfully configure the device, you will need the public IP address(es) of the VPN gateway, the Scaleway ASN (12876) and the pre-shared key of the connection.

9. Enable route propagation: Enable route propagation to prompt the two gateways to initiate BGP sessions and share routing information. This is the final step in allowing traffic to flow across the Site-to-Site VPN connection. Ensure that you replace {connection-id} in the URL with the ID of the connection on which you want to enable route propagation.

   Code
   curl -X POST \
     -H "Content-Type: application/json" \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/connections/{connection-id}/enable-route-propagation"

10. Delete your VPN gateway: run the following command to delete a VPN gateway when you no longer need it. Ensure that you replace {vpn-gateway-id} in the URL with the ID of the VPN gateway you want to delete.

    Code
    curl -X DELETE \
      -H "Content-Type: application/json" \
      -H "X-Auth-Token: $SCW_SECRET_KEY" \
      "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateways/{vpn-gateway-id}"