Site-to-Site VPN

v1alpha1

Introduction

Scaleway Site-to-Site VPN connects your infrastructure (on-premise, in a private cloud, or in another public cloud) to your Scaleway VPC with IPsec.

Site-to-Site VPN establishes a private & encrypted tunnel over the public internet using IPsec. It allows your remote infrastructure to securely reach resources hosted in your Scaleway Private Networks without requiring dedicated physical links. This managed solution ensures confidentiality and integrity of through traffic, with a deployment that is simple and cost-effective, even across geographically distributed infrastructure.

You can establish one or multiple VPN tunnels depending on your needs, and take advantage of dynamic routing with BGP to ensure high availability and flexibility across your infrastructure.

Once connection is established with your VPC, Site-to-Site VPN allows you to control BGP route propagation: you can fine-tune which IPv4 or IPv6 prefixes are allowed to flow.

Note

This product is currently in Private Beta.

Concepts

VPN Gateway

A VPN gateway is a managed resource that serves IPsec tunnels between your external infrastructure and your Scaleway VPC. Each connection within the gateway represents an IPsec tunnel established over the public internet. A single VPN gateway can host multiple connections.

Customer Gateway

A customer gateway is a logical resource that represents your on-premises network device. It acts as the endpoint of the IPsec tunnel established with the Scaleway VPN gateway. Each customer gateway can be configured with one public IPv4 address, one public IPv6 address, and the ASN of the BGP router used to establish the BGP session over the IPsec tunnel.

This resource is required to define the remote side of the VPN tunnel. Its information will be used during the setup of the connection.

Connection

A connection represents the bridge between your VPN gateway and your customer gateway. One connection can support up to two IPsec tunnels: one over IPv4 and one over IPv6. This allows for a highly available tunnel configuration, provided that both the VPN gateway and the customer gateway have configured public IP addresses through Scaleway resources, using the correct IP version on both ends.

Quickstart

Configure your environment variables.

Note

This is an optional step that seeks to simplify your usage of the Site-to-Site VPN API.

export SCW_SECRET_KEY="<API secret key>"
export SCW_DEFAULT_REGION="<Scaleway default region>"
export SCW_PROJECT_ID="<Scaleway Project ID>"

Choose a VPN gateway type: VPN gateways come in different shapes, sizes, and pricing. When you create your VPN gateway, you need to specify the required gateway type in the request. Use the following call to get a list of available VPN gateway offer types and their details:

curl -X GET \
    -H "X-Auth-Token: $SCW_SECRET_KEY" \
    -H "Content-Type: application/json" \
    "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateway-types"

Create a VPN gateway: run the following command to create a VPN Gateway. You can customize the details in the payload to your needs, using the table below to help.

curl -X POST \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  -H "Content-Type: application/json" \
  "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateways" \
  -d '{
    "project_id": "'"$SCW_PROJECT_ID"'",
    "name": "My New Gateway",
    "tags": ["test", "another tag"],
    "gateway_type": "VGW-S",
    "private_network_id": "00cfd222-2402-4598-9438-b12b995e9e80"
  }'

Parameter	Description	Valid values OR Example
project_id	ID of project	`any valid project UUID`
name	Name for VPN Gateway	`desired name for VPN Gateway`
tags	Tags for VPN Gateway	`a list of tags`
gateway_type	Offer type for VPN Gateway	`any valid offer type string, e.g. VGW-S`
private_network_id	ID of a Private Network (cannot be detach later)	`any valid private network UUID`

Get a list of your VPN gateways: run the following command to get a list of all the VPN gateways in your account, with their details:

curl -X GET \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateways" \

Create a customer gateway: run the following command to create a customer gateway. You can customize the details in the payload to your needs, using the table below to help.

curl -X POST \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  -H "Content-Type: application/json" \
  "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/customer-gateways" \
  -d '{
    "project_id": "'"$SCW_PROJECT_ID"'",
    "name": "My Device",
    "tags": ["test", "another tag"],
    "ipv4_public": " 51.158.0.1",
    "asn": "11111"
  }'

Parameter	Description	Valid values OR Example
project_id	ID of project	`any valid project UUID`
name	Name for Customer Gateway	`desired name for Connection`
tags	Tags for Customer Gateway	`a list of tags`
ipv4_public	Public IPv4 of Customer Gateway	`any valid public ipv4 ip`
asn	BGP ASN of Customer Gateway	`any valid asn except reserved scw ASN 12876`

Create a routing policy: A routing policy is required for each traffic type (IPv4 and/or IPv6) to be supported over the connection.

curl -X POST \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  -H "Content-Type: application/json" \
  "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/routing-policies" \
  -d '{
    "project_id": "'"$SCW_PROJECT_ID"'",
    "name": "my-rp-v4",
    "tags": ["test", "another tag"],
    "is_ipv6": false,
    "prefix_filter_in": [
      "10.0.0.0/8"
    ],
    "prefix_filter_out": [
      "172.16.12.0/24"
    ]

Parameter	Description	Valid values OR Example
project_id	ID of Project	`any valid project UUID`
name	Name for routing policy	`desired name for Connection`
tags	Tags for routing policy	`a list of tags`
is_ipv6	Whether routing policy should be IPv6 or IPv4	`true or false`
prefix_filter_in	IP prefixes to accept from the customer gateway (ranges of route announcements to accept)	`a list of IP subnets`
prefix_filter_out	IP prefixes to advertise to the customer gateway (ranges of routes to advertise)	`a list of IP subnets`


7. **Create a connection between a VPN gateway and a customer gateway**: When your VPN gateway has been provisioned and has **active** status, you must create a connection.
   ```bash
   curl -X POST \
     -H "Content-Type: application/json" \
     -H "X-Auth-Token: $SCW_SECRET_KEY" \
     "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/connections" \
     -d '{
       "project_id": "'"$SCW_PROJECT_ID"'",
       "name": "My New Connection",
       "tags": ["test", "another tag"],
       "vpn_gateway_id": "ec5b8281-0c4f-49ea-a8fd-bd37554f5896",
       "customer_gateway_id": "beba6285-b502-4579-82d6-2815fb1ef1f1",
       "ikev2_ciphers": [{"encryption": "aes256", "integrity": "sha256", "dh_group": "curve25519"}],
       "esp_ciphers": [{"encryption": "aes256gcm", "dh_group": "curve25519"}],
       "bgp_config_ipv4": {
         "routing_policy_id": "3fe0612d-6d61-41a8-87f4-243900e07616"
       }
     }'

Parameter	Description	Valid values OR Example
project_id	ID of project	`any valid project UUID`
name	Name for Connection	`desired name for Connection`
tags	Tags for Connection	`a list of tags`
vpn_gateway_id	ID of a VPN Gateway	`any valid VPN Gateway UUID`
customer_gateway_id	ID of a Customer Gateway	`any valid Customer Gateway UUID`
routing_policy_id	ID of a Routing Policy (same parameter available for bgp_config_ipv6)	`any valid Routing Policy UUID`

Refer to the documentation for help with these steps if necessary.

Configure your customer gateway device: Configure your real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. It is the physical device represented by your customer gateway. To successfully configure the device, you will need the public IP address(es) of the VPN gateway, the Scaleway ASN (12876) and the pre-shared key of the connection.

Enable route propagation: Enable route propagation to prompt the two gateways to initiate BGP sessions and share routing information. This is the final step in allowing traffic to flow across the Site-to-Site VPN connection. Ensure that you replace {connection-id} in the URL with the ID of the connection on which you want to enable route propagation.

curl -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/connections/{connection-id}/enable-route-propagation"

Delete your VPN gateway: run the following command to delete a VPN gateway when you no longer need it. Ensure that you replace {vpn-gateway-id} in the URL with the ID of the VPN gateway you want to delete.

curl -X DELETE \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  "https://api.scaleway.com/s2s-vpn/v1alpha1/regions/$SCW_DEFAULT_REGION/vpn-gateways/{vpn-gateway-id}"

Regions

The Scaleway Site-to-Site VPN is a regional API, meaning that each call must specify in its path parameters the Region for the resources concerned by the call.

The following Regions are available for Site-to-Site VPN:

Name	API ID
Paris	`fr-par`
Amsterdam	`nl-ams`
Warsaw	`pl-waw`

Going further

For more help using Scaleway Site-to-Site VPN, check out the following resources:

Our main documentation
The #virtual-private-cloud channel on our Slack Community.

VPN Gateways

A VPN gateway is an IPsec peer managed by Scaleway. It can support multiple connections to customer gateways.

GET/s2s-vpn/v1alpha1/regions/{region}/vpn-gateways

POST/s2s-vpn/v1alpha1/regions/{region}/vpn-gateways

GET/s2s-vpn/v1alpha1/regions/{region}/vpn-gateways/{gateway_id}

PATCH/s2s-vpn/v1alpha1/regions/{region}/vpn-gateways/{gateway_id}

DELETE/s2s-vpn/v1alpha1/regions/{region}/vpn-gateways/{gateway_id}

VPN Gateway Types

VPN gateways come in various shapes, sizes and prices, which are described by VPN gateway types. They represent the different commercial offer types for VPN gateways available at Scaleway.

GET/s2s-vpn/v1alpha1/regions/{region}/vpn-gateway-types

Connections

A connection represents the IPsec tunnel between VPN gateway and customer gateway.

GET/s2s-vpn/v1alpha1/regions/{region}/connections

POST/s2s-vpn/v1alpha1/regions/{region}/connections

GET/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}

PATCH/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}

DELETE/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}

POST/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}/detach-routing-policy

POST/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}/disable-route-propagation

POST/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}/enable-route-propagation

POST/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}/renew-psk

POST/s2s-vpn/v1alpha1/regions/{region}/connections/{connection_id}/set-routing-policy

Customer Gateways

A customer gateway represents a Scaleway client's device that communicates with a VPN gateway.

GET/s2s-vpn/v1alpha1/regions/{region}/customer-gateways

POST/s2s-vpn/v1alpha1/regions/{region}/customer-gateways

GET/s2s-vpn/v1alpha1/regions/{region}/customer-gateways/{gateway_id}

PATCH/s2s-vpn/v1alpha1/regions/{region}/customer-gateways/{gateway_id}

DELETE/s2s-vpn/v1alpha1/regions/{region}/customer-gateways/{gateway_id}

Routing Policies

By default, all routes across the Site-to-Site VPN (between VPN gateway and customer gateway) are blocked. Routing policies allow you to set filters to define the IP prefixes to allow.

GET/s2s-vpn/v1alpha1/regions/{region}/routing-policies

POST/s2s-vpn/v1alpha1/regions/{region}/routing-policies

GET/s2s-vpn/v1alpha1/regions/{region}/routing-policies/{routing_policy_id}

PATCH/s2s-vpn/v1alpha1/regions/{region}/routing-policies/{routing_policy_id}

DELETE/s2s-vpn/v1alpha1/regions/{region}/routing-policies/{routing_policy_id}