Jump toSuggest an edit

Public Gateways - Concepts

Reviewed on 29 April 2024

Default route

The Public Gateway can advertise a default route to resources on an attached Private Network, which takes effect when the IP destination address for a packet is not known on the network itself. In effect, resources in a Private Network will know to route packets through the Public Gateway if the destination IP address is not a host on the Private Network itself.

You can choose to activate the advertisement of the default route when attaching a Private Network to a Public Gateway. The default route is propagated through DHCP.


DHCP was previously a functionality of Scaleway Public Gateways, but has now been moved and is integrated directly into Private Networks. Read more about DHCP on Private Networks.


The Domain Name System (DNS) is a naming system for devices connected to the internet or Private Networks. Most prominently, DNS servers translate text-based domain names (e.g. to numerical IP addresses (e.g.

Private Networks benefit from managed DNS, which resolves the hostnames of attached resources into their IP addresses. The hostname for a given device is generally the name defined when creating the resource (and which in the case of an Instance, for example, displays in the shell when connected to that resource by SSH). When a Private Network is attached to a legacy Public Gateway however, the gateway’s DNS takes priority over that of the Private Network, to allow hostname resolution across different Private Networks.

Flexible IP

Flexible IP addresses are public IP addresses associated with your account, which you can hold independently of any created resource. When you create a Public Gateway, it receives a flexible (public) IP address by default. You can detach, reattach and migrate your flexible IPs between your Public Gateways at your convenience. Note that:

  • Each Public Gateway must have a public IP attached to it, so if you detach one flexible IP from the Public Gateway you must attach another.
  • Public Gateway flexible IPs are unique to Public Gateways, and cannot be used with other products (and vice versa).
  • Public Gateways are not compatible with IPv6, so its flexible IP is necessarily IPv4.

IP address

An Internet Protocol address is a unique address that identifies a device on the internet (public) or a local network (private). Generally, IP addresses can be IPv4 or IPv6, but Public Gateways are currently compatible only with IPv4. Every Public Gateway must necessarily have a public flexible IP address, and will have a private IP address on each Private Network it is attached to.

IP mobility

Scaleway is implementing IP mobility across its resources. This entails changing the way that we internally map public IP addresses to physical machines and the virtual resources they host. Previously, a highly available NAT (Network Address Translation) solution was used to make IP addresses move with the attached Public Gateway between physical machines. Now, all Public Gateways use a more efficient and future-proof routed IP solution. In time, this will bring new benefits such as support for IPv6 on Public Gateways.


IPAM is Scaleway’s IP Address Manager tool. Read more about it in our dedicated IPAM documentation.

Scaleway Public Gateways are either in Legacy mode or IPAM mode. The mode of each of your gateways is displayed via a badge in the gateway listing page of the Scaleway console.

Legacy Public Gateways use a workaround to ensure IPAM compatibility. Your gateway is a legacy gateway if:

  • You created it via the Scaleway console prior to 17 October 2023
  • You created it via the Scaleway API or devtools prior to 17 October 2023, and you did not use the ipam_config object when creating the GatewayNetwork (attachment to a Private Network).

The auto-calculated is_legacy Gateway parameter will have a value of true.


Private Networks attached to legacy Public Gateways must stay in the gateway’s auto-created VPC to ensure basic IPAM compatibility.

IPAM Public Gateways are fully and natively integrated with the Scaleway IPAM without any workaround. Your gateway is in IPAM mode if:

  • You created it via the Scaleway console on or after 17 October 2023
  • You created it via the Scaleway API or devtools using the ipam_config object, and the auto-calculated is_legacy Gateway parameter has a value of false.

You cannot “migrate” a legacy Public Gateway to become an IPAM-mode gateway. While legacy Public Gateways continue to function thanks to our workaround, you cannot modify them to become natively integrated IPAM networks. If you wish to have an IPAM-mode Public Gateway, for example to benefit from IP management via Scaleway’s IPAM API as more features become available, or to use Kapsule with full isolation, you must create a new gateway.


When creating a Kubernetes Kapsule cluster with full isolation you are required to attach a Public Gateway to the cluster’s Private Network, and this cannot be a legacy Public Gateway - it must be an IPAM-mode gateway.

Legacy gateway



Network Address Translation (NAT) maps private IP addresses in a Private Network to the public IP address of the Public Gateway. Private IP addresses are not routable on the public Internet, so NAT makes it possible for them to securely communicate with the internet via the gateway. There are two types of NAT:

  • Dynamic NAT enables egress traffic from a Private Network to the public internet by dynamically, automatically mapping the outgoing traffic IP addresses and ports with the public IP address and ports of the Public Gateway. Dynamic NAT is automatically activated for all Public Gateways attached to Private Networks.

  • Static NAT enables ingress traffic from the public internet towards devices on a Private Network by mapping pre-defined ports of the public IP address of the gateway to specific ports and IP addresses on the Private Network. You can optionally add Static NAT configurations to your Public Gateway.

See our documentation on reviewing and configuring NAT for more information.

Private IP address

Private IP addresses identify devices on local/Private Networks. They are not routed on the internet. When you attach a Public Gateway to a Private Network, it will automatically receive a private IPv4 address on that network, and can communicate securely with other attached resources via their private IP addresses. As Public Gateways are not compatible with IPv6, they will not receive a private IPv6 address on the network.

Private Network

See the VPC documentation.

Public Gateway

Public Gateways sit at the border of Private Networks and provide a secure point of entry from the public internet to your infrastructure. They also offer extra functionality, including NAT and SSH bastion. You can add a Public Gateway to each of your Private Networks.

Public IP address

Public IP addresses identify devices on the internet. You can enter the public IP address of an Instance into any browser connected to the Internet, and access content being served from that Instance. Public IP addresses are like postal addresses for buildings - they are unique, and tell the routers directing traffic through the internet where to find a particular server.

Region and Availability Zone

A region is a geographical area, such as France (Paris: fr-par) or the Netherlands (Amsterdam: nl-ams), in which Scaleway products and resources are located. It can contain multiple Availability Zones.

An Availability Zone refers to the geographical location within a region, such as waw-1 (Warsaw, Poland), in which your Scaleway resource will be created. The latency between multiple AZs of the same region is low, as they have a common network layer.

For an extensive list of which regions and AZ a resource is available in, refer to our Product availability guide.

Routed IP

See IP mobility.

SSH bastion

SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all the SSH keys held in your Project credentials are imported to the SSH bastion, providing a single point of entry. This makes management of your infrastructure easier and more secure.


Tags let you organize your Public Gateways. You can assign as many tags as you want to each gateway, and use this feature to identify, sort and filter them.

Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway