What is a Public Gateway?

Public Gateways sit at the border of Private Networks. They provide services to deal with traffic entering and exiting the network (NAT), and SSH bastion. A Public Gateway can be attached to up to 8 Private Networks and up to 50 Public Gateways are supported per Organization.

The Public Gateway can be configured through the console or the API.

Does the Public Gateway require a public IPv4 address?

No. A public IPv4 address (aka. flexible IP) must be assigned to the Public Gateway at creation time, but you can detach it and delete it afterward if you do not want to use the NAT feature.

Can my Instances and other resources access the internet without a public IPv4 address?

Yes. With NAT enabled, the Public Gateway shares its public IPv4 address (aka. flexible IP) with the Instances and other resources attached to the Private Network, so that they can access the internet. Moreover, the Public Gateway supports static NAT (aka. port forwarding), so that ingress traffic from the public internet can reach Instances on the Private Network. This works by mapping pre-defined ports of the public IP address of the gateway to specific ports and IP addresses on the Private Network.

What happened to static leases (DHCP reservations) when DHCP moved from the Public Gateway to Private Networks?

On 12 July 2023, DHCP functionality moved from Public Gateways to Private Networks. See our dedicated migration documentation for full details.

Pre-existing static leases created via the Public Gateway were fully migrated and still work for your attached resources on a Private Network. Manual static lease configuration is still available via the API and other devtools, but is no longer available via the Scaleway console.

Why is my Public Gateway labelled as Legacy?

Legacy Public Gateways use a workaround to ensure compatiblity with Scaleway’s IPAM (I P Address Management) tool. IPAM acts as a single source of truth for the IP addresses of Scaleway resources

Your gateway is probably a legacy gateway if you created it prior to 17 October 2023. These gateways will continue to function, but are not natively integrated with IPAM, and you cannot take advantage of features such as IP management via Scaleway’s IPAM API, or fully-isolated Kubernetes Kapsules. You should create a new gateway if you want to benefit from such features.

Find out more about Public Gateways and IPAM.

Do I need a Public Gateway for each Availability Zone (AZ)?

VPC and Private Networks are both regional, meaning they span all AZs across a given region. Even though Public Gateways are zoned and not regional, one Public Gateway attached to a regional Private Network is functionally enough, and will cover the whole region. That is to say a Public Gateway created in PAR-1 can serve Instances in PAR-2 and PAR-3, as long as they are all attached to the same PAR-region Private Network.

I need more than 1Gbps bandwidth for my Public Gateway, what can I do?

Currently the maximum bandwidth available to a Public Gateway is 1Gbps. If you are interested in availability of a Public Gateway with a higher maximum bandwidth, please add or upvote a feature request so that we can monitor demand.

In the meantime, you can add multiple Public Gateways to your Private Network to spread out the traffic flow, if the Instances in your Private Network have a recent kernel. Note that a single TCP stream/connection is unlikely to exceed 1Gbps. Multiple streams/connections are likely to be necessary to fully utilize the available bandwidth of multiple Public Gateways, depending on the capacity of the server at the receiving end. Without multiple streams/connections, the limit of, for example, an S3 GET request will still be 1Gbps.