Public Gateways - Concepts
The Public Gateway can advertise a default route to resources on an attached Private Network, which takes effect when the IP destination address for a packet is not known on the network itself. In effect, resources in a Private Network will know to route packets through the Public Gateway if the destination IP address is not a host on the Private Network itself.
You can choose to activate the advertisement of the default route when attaching a Private Network to a Public Gateway. The default route is propagated through DHCP.
DHCP was previously a functionality of Scaleway Public Gateways, but has now been moved and is integrated directly into Private Networks. Read more about DHCP on Private Networks.
The Domain Name System (DNS) is a naming system for devices connected to the Internet or Private Networks. Most prominently, DNS servers translate text-based domain names (e.g. www.scaleway.com) to numerical IP addresses (e.g. 18.104.22.168).
Private Networks benefit from managed DNS, which resolves the hostnames of attached resources into their IP addresses. The hostname for a given device is generally the name defined when creating the resource (and which in the case of an Instance, for example, displays in the shell when connected to that resource by SSH). When a Private Network is attached to a Public Gateway however, the gateway’s DNS takes priority over that of the Private Network, to allow host name resolution across different Private Networks.
Flexible IP addresses are public IP addresses associated with your account, which you can hold independently of any created resource. When you create a Public Gateway, it receives a flexible (public) IP address by default. You can detach, reattach and migrate your flexible IPs between your Public Gateways at your convenience. Note however that each Public Gateway must have a public IP attached to it, so if you detach one flexible IP from the Public Gateway you must attach another.
Flexible IPs exist for many resources (Instances, Elastic Metal servers, Load Balancers etc). Note however that each of these sets of flexible IPs is independent, and usable only with that product. Instance flexible IPs cannot be attached to Elastic Metal servers or Public Gateways, and vice versa.
When you delete a flexible IP address, it is disassociated from your account to be used by other users.
IPAM is Scaleway’s IP Address Management tool. Read more about it in our VPC documentation.
Scaleway Public Gateways are either in Legacy mode or IPAM mode. The mode of each of your gateways is displayed via a badge in the gateway listing page of the Scaleway console.
Legacy Public Gateways use a workaround to ensure IPAM compatibility. Your gateway is a legacy gateway if:
- You created it via the Scaleway console prior to 17 October 2023
- You created it via the Scaleway API or devtools prior to 17 October 2023, and you did not use the
ipam_configobject when creating the GatewayNetwork (attachment to a Private Network).
is_legacy Gateway parameter will have a value of
Private Networks attached to legacy Public Gateways must stay in the gateway’s auto-created VPC to ensure basic IPAM compatibility.
IPAM Public Gateways are fully and natively integrated with the Scaleway IPAM without any workaround. Your gateway is in IPAM mode if:
- You created it via the Scaleway console on or after 17 October 2023
- You created it via the Scaleway API or devtools using the
ipam_configobject, and the auto-calculated
is_legacyGateway parameter has a value of
You cannot “migrate” a legacy Public Gateway to become an IPAM-mode gateway. While legacy Public Gateways continue to function thanks to our workaround, you cannot modify them to become natively integrated IPAM networks. If you wish to have an IPAM-mode Public Gateway, for example to benefit from IP management via Scaleway’s IPAM API as more features become available, or to use Kapsule with full isolation, you must create a new gateway.
When creating a Kubernetes Kapsule cluster with full isolation you are required to attach a Public Gateway to the cluster’s Private Network, and this cannot be a legacy Public Gateway - it must be an IPAM-mode gateway.
Network Address Translation (NAT) maps private IP addresses in a Private Network to the public IP address of the Public Gateway. Private IP addresses are not routable on the public Internet, so NAT makes it possible for them to securely communicate with the Internet via the gateway. There are two types of NAT:
Dynamic NAT enables egress traffic from a Private Network to the public Internet by dynamically, automatically mapping the outgoing traffic IP addresses and ports with the public IP address and ports of the Public Gateway. Dynamic NAT is automatically activated for all Public Gateways attached to Private Networks.
Static NAT enables ingress traffic from the public Internet towards devices on a Private Network by mapping pre-defined ports of the public IP address of the gateway to specific ports and IP addresses on the Private Network. You can optionally add Static NAT configurations to your Public Gateway.
See our documentation on reviewing and configuring NAT for more information.
Private IP address
Private IP addresses identify devices on local/Private Networks. They are not routed on the Internet - if you enter the private IP address of an Instance into a random browser connected to the Internet, it will not connect to anything. This is because a private IP address is only relevant within a particular local network. Devices within a local network can communicate securely between themselves via their private IP addresses.
Public IP address
Public IP addresses identify devices on the Internet. You can enter the public IP address of an Instance into any browser connected to the Internet, and access content being served from that Instance. You can think of public IP addresses like postal addresses for buildings - they are unique, and tell the routers directing traffic through the Internet where to find a particular server.
Region and Availability Zone
A region is a geographical area such as France (Paris:
fr-par) or the Netherlands (Amsterdam:
nl-ams) in which Scaleway products and resources are located. It can contain multiple Availability Zones.
An Availability Zone refers to the geographical location within a region, such as
waw-1 (Warsaw, Poland), in which your Scaleway resource will be created. The latency between multiple AZs of the same region is low, as they have a common network layer.
For an extensive list of which regions and AZ a resource is available in, refer to our Product availability guide.
SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all the SSH keys held in your Project credentials are imported to the SSH bastion, providing a single point of entry. This makes management of your infrastructure easier and more secure.
Tags let you organize your Public Gateways. You can assign as many tags as you want to each gateway, and use this feature to identify, sort and filter them.