VPC FAQ
VPC basics
What is the difference between VPC and a Private Network?
A VPC offers layer 3 network isolation. Within each VPC, you can create multiple Private Networks (layer 2) and attach Scaleway resources to them, as long as the resources are in an AZ within the network's region. Resources attached to a Private Network can then communicate between themselves in an isolated and secure network, away from the public internet. VPC routing facilitates communication between resources on the different Private Networks within the VPC.
What is a default VPC?
If you created your Scaleway Project before 13 May 2025, one default VPC was automatically created in it for each region (Paris, Amsterdam and Warsaw). You can now opt to delete these default VPCs, if you wish.
If you created your Scaleway Project after 13 May 2025, default VPCs are no longer pre-created for the Project.
Find out more in our dedicated documentation.
VPC routing
Can I route traffic between different Private Networks on the same VPC?
Yes, VPC routing allows you to automize the routing of traffic between resources in different Private Networks within the same VPC.
Can I route traffic between different Private Networks in different VPCs or different Scaleway Projects?
This is not currently possible. You may consider using a VPN tunnel to achieve this, for example IPsec or WireGuard. Scaleway also offers an OpenVPN InstantApp, making it easy to install a VPN directly on an Instance.
Why can I not route traffic to my Managed Database on another Private Network?
Managed Databases do not currently support VPC routing - see our dedicated documentation
Can I control traffic flow between my VPC's Private Networks?
Yes, use the Network ACL feature to filter packets flowing between the different Private Networks of your VPC. By default, all traffic is allowed to pass, until you start to add rules to the VPC's NACL.
How are NACLs different from security groups?
Security groups filter public traffic on your Instances, whereas NACLs filter traffic to/from Private Networks only.
Private Networks
What are Private Networks?
Layer 2 Private Networks sit inside layer 3 VPCs. Private Networks are a managed cloud service allowing you to create layer 2 ethernet-switched domains.
These domains can also be called virtual LAN (VLAN). They are virtual but completely private local networks that securely connect your Scaleway resources without necessarily exposing them publicly. Scaleway resources including Instances, Elastic Metal servers, Load Balancers, and Databases are all compatible with Private Networks.
Can I connect multiple Private Networks to the same Scaleway resource?
Yes, you can configure multiple Private Networks on the same Scaleway resource. For example, you can connect up to 8 Private Networks to the same Instance. A virtual network interface is created for each Private Network the Instance is attached to. For Elastic Metal, some additional configuration is required: check out our documentation on configuring the network interface.
You can configure:
- Up to 8 Private Networks per Scaleway resource
- Up to 255 Private Networks per Organization
- Up to 512 Scaleway resources per Private Network
What happened to my classic, mono-AZ Private Network?
When VPC and regional Private Networks moved from Public Beta to General Availability, all mono-AZ Private Networks were automatically migrated to be regional. Read the documentation to find out more about the migration process.
How much does it cost to create a VPC, Private Network, or reserved private IP address?
The following resources and features are free of charge:
- VPCs and VPC routing
- Private Networks (except for Elastic Metal servers and Apple silicon)
- Reserved private IP addresses on IPAM
Why can I not delete my Private Network even though it is empty?
You might have a reserved IP address that is blocking the deletion - check out our troubleshooting page.
Do I have to restart a Scaleway resource after adding Private Networks?
No, Private Network interfaces will appear on your resources without any reboot.
Do Private Networks support IPv6?
Yes, when you create a Private Network both an IPv4 and an IPv6 CIDR block are defined. The IPv6 CIDR block is defined automatically and "invisibly" by default at the time of creating the Private Network. It cannot be modified either at the time of creation, or afterward.
It is a /64 block, guaranteed to be unique within the VPC and not overlapping with any of your other Private Networks. Resources that support private IPv6 addressing, e.g. Instances, can then acquire an IPv6 address when they join the Private Network.
Do resources in a Private Network require a public IPv4 address?
No, they do not require a public IPv4 address.
Can resources in a Private Network access the internet without a public IPv4 address?
Yes. You can attach a Public Gateway to your Private Network to provide internet access to your Instances, Elastic Metal servers, and other attached Scaleway resources.
Do non-IP protocols work over Private Networks?
Technically, any ethernet payload should work over Private Networks. However, only IPv4 and IPv6 are officially supported. If you have real use cases for other protocols, let us know by reaching us on the Scaleway Community Slack.
Do Private Networks support IP autoconfiguration?
Yes, DHCP is an inbuilt function of Private Networks and provides IP autoconfiguration for your attached resources. Alternatively, you can use Scaleway IPAM to reserve specific IP addresses on a Private Network and use these to attach resources.
IPAM and IP addressing
What is IPAM?
IP Address Manager (IPAM) is Scaleway’s tool for planning, tracking, and managing the IP address space of Scaleway products. It acts as a single source of truth for the IP addresses of Scaleway resources, and has a number of associated functionalities to help manage your Scaleway IPs, such as the ability to reserve an IP on a Private Network and attach it to a specific resource. See our IPAM FAQ for more details.
Do resources' IP addresses on a Private Network risk changing when allocated by managed DHCP?
With Private Networks' inbuilt managed DHCP, a private IP is allocated when the resource is attached to a Private Network, and released only when the resource is detached or deleted. The IP address remains stable across reboots and long power-offs, and will not change except upon deletion or detachment from the Private Network.
Nonetheless, you can also reserve specific IPs from a Private Network's CIDR block, and use these IPs to attach specific resources, if you prefer. See our documentation on how to reserve IPs.
How can I attach my VMs on a Proxmox cluster on Elastic Metal to a Private Network?
For this purpose use the option of attaching a custom resource to a Private Network, specifying its MAC address. Full instructions for attaching custom resources are in the Private Networks documentation.
You can also reserve a private IP address with IPAM, and use this reserved address to attach a custom resource.