Jump toSuggest an edit

VPC - Concepts

Reviewed on 19 February 2024Published on 06 February 2023

CIDR block

A Classless Inter-Domain Routing (CIDR) block represents a range of IP addresses. They all share the same network prefix. An example of an IPv4 CIDR block is, while an IPv6 CIDR block looks like fd12:3456:789a:1::/64.

The two parts of a CIDR block are:

  • The prefix, which represents an IP address.
  • The suffix, which consists of a slash and a number that represents the network size. This is also known as the prefix length or subnet mask bit size. It states how many bits of the prefix/IP address are used to designate the network itself, with the remaining bits therefore being available to designate specific hosts on the network.

An IPv4 CIDR block and an IPv6 CIDR block are defined for each Scaleway Private Network at the time of creation. When you attach a resource (e.g. an Instance, an Elastic Metal server or a Load Balancer) to the network, DHCP will assign one IPv4 and (if the resource is IPv6-compatible) one IPv6 address from the designated blocks to that resource. This way, each resource automatically gets a private IPv4 and IPv6 address on the Private Network.

IP addresses from within a given subnet (that is to say, allocated from a certain CIDR block that is used for a certain Private Network) display with a slash at the end. In the case of an IPv4 address, this could look like This format encapsulates information both about the IP address itself, and which subnet it is from. If you configure an Instance manually with this address, it sets both the correct IP and a route to the correct subnet.

Default VPC

Scaleway currently has three regions: Paris, Amsterdam and Warsaw. One default VPC is automatically created for each region, in each Scaleway Project. Any new Private Networks that you create will be added to the default VPC for their region, unless you override this by specifying a different VPC.


Dynamic Host Configuration Protocol (DHCP) is a network management protocol for dynamically assigning IP addresses and other configuration parameters to devices in a Private Network.

Managed DHCP was previously a feature of Scaleway’s Public Gateway, but is now built into Private Networks. A CIDR block representing a range of available IP addresses is defined when creating the Private Network, and when you attach a resource to the network it is assigned a static, private IP address from this subnet. These IP addresses are managed by our internal IPAM, which acts a single source of truth and ensures full consistency. There is no need for users to manually assign private IP addresses to their resources as they join or leave the network.

With managed DHCP, a resource’s IP address will never change as long as that resource is not detached from the Private Network. It remains stable across reboots and long poweroffs. The IP is allocated when the resource is attached, and released only when the resource is detached or deleted.

The IPv4 address of Private Networks’ DHCP server is The IPv6 address is fe80:200:22ff:fe05:ca1e.


While DHCP is built into all new Private Networks, it may not be automatically activated for older Private Networks. Check our migration documentation for more information.


The Domain Name System (DNS) is a naming system for devices connected to the internet or Private Networks. Most prominently, DNS servers translate text-based domain names (e.g. to numerical IP addresses (e.g.

Private Networks benefit from managed DNS, which resolves the hostnames of attached resources into their IP addresses. The hostname for a given device is generally the name defined when creating the resource (and which in the case of an Instance, for example, displays in the shell when connected to that resource by SSH). When a Private Network is attached to a legacy Public Gateway however, the gateway’s DNS takes priority over that of the Private Network, to allow hostname resolution across the different Private Networks it may be attached to.


IP Address Management (IPAM) is a method for planning, tracking and managing the IP address space of a network. Scaleway’s IPAM acts as a single source of truth for the IP addresses of Scaleway resources. Managed products, such as Databases and Load Balancer, are fully integrated into IPAM, and Private Networks’ DHCP server uses IPAM to assign static IP addresses to attached resources such as Instances and Elastic Metal server. We are starting to make some public IPAM functionality available on our IPAM API: check out the documentation for more details.


Internet Protocol Version 4 is the standard protocol used for IP addresses, and routes most internet traffic as of today. Each IPv4 address has 32 bits. Written in human-readable form, an IPv4 address is generally shown as four octets of numbers separated by periods, e.g.

Scaleway Private Networks’ DHCP functionality assigns both an IPv4 and an IPv6 address to its attached resources. Note that IPv4 addresses defined in this way display with a slash at the end, e.g., to encapsulate information both about the IP address itself and which subnet it is from. See the CIDR concept for more information.


Internet Protocol Version 6 is the most recent version of the IP protocol used for IP addresses. Each IPv6 address has 128 bits. Written in human-readable form, an IPv6 address can be shown as eight groups of four hexadecimal digits, each group representing 16 bits and separated by a colon, e.g. 2001:0DB8:0000:0003:0000:01FF:0000:002E. This can also be notated as 2001:DB8::3:0:1FF:0:2E.

Scaleway Private Networks’ DHCP functionality assigns both an IPv4 and an IPv6 address to its attached resources. See the CIDR concept for more information.

Private Networks

Private Networks let you connect Scaleway resources across multiple AZs within the same region. Attached resources can then communicate between themselves in an isolated and secure layer 2 network, away from the public internet.

Dynamic Host Configuration Protocol (DHCP) is built into each Private Network, making it easy to manage the private IP addresses of your resources on the network.

Read our dedicated documentation on creating a Private Network.


Previously, Private Networks at Scaleway were zoned. Only resources from within one defined AZ could be attached to each network. Now, all Private Networks are regional, and resources from any AZ within that network’s region can be attached. “Old” zoned Private Networks have all been automatically migrated to become regional.

While DHCP is built into all new Private Networks, it may not be automatically activated for older Private Networks. Check our migration documentation for more information.

Region and Availability Zone

A region is a geographical area, such as France (Paris: fr-par) or the Netherlands (Amsterdam: nl-ams), in which Scaleway products and resources are located. It can contain multiple Availability Zones.

An Availability Zone refers to the geographical location within a region, such as waw-1 (Warsaw, Poland), in which your Scaleway resource will be created. The latency between multiple AZs of the same region is low, as they have a common network layer.

For an extensive list of which regions and AZ a resource is available in, refer to our Product availability guide.

Route table


This feature is currently in public beta, and only available when you create a new VPC.

A route table is used to manage and control the routing of traffic within a VPC. The routes within a route table tell the VPC where to send traffic trying to get to a specific destination IP address. One line in the route table corresponds to one route. A route consists of:

  • A destination IP or IP range. This specifies that the route applies to traffic with a matching destination IP.
  • A next hop. This specifies where the VPC should forward traffic that is trying to reach the destination IP. If the destination IP falls within the CIDR block of a Private Network, its next hop will be that Private Network, where it will find the attached resource with the specific private IP address specified by the destination. If the destination IP is not known on the VPC (represented by the address), its next hop will be a Public Gateway so that it can reach the public internet (as long as a Public Gateway set to advertise the default route has been attached to the Private Network).
  • A description. This helps to describe the type of route, e.g. Local subnet route for routes to Private Networks, or Default route to internet for routes to Public Gateways.

When deciding which route to apply, the route table reads the routes from most specific to least specific, in terms of destination IP range. The first matching route encountered is the one that determines the path for the traffic. Therefore, a route to destination is applied before a default route to

Scaleway VPC routing supports both IPv4 and IPv6 protocols. Managed routes to Private Networks are simultaneously generated for both IPV4 and IPV6, and both are added to the route table. When reading your route table, a toggle allows you to switch between the default view of IPV4 routes, to an alternative view of IPV6 routes.

When you activate routing on a new VPC, its route table will display in the Routing tab. The route table is populated with routes when you either create a Private Network in the VPC, or attach a Public Gateway to a Private Network and set it to advertise a default route. These routes are fully managed by Scaleway. Currently, only auto-created, managed routes are available, though in the future you will also be able to create your own custom routes. Read more in the routing concept.



This feature is currently in public beta, and only available when you create a new VPC.

Routing allows Private Networks in the same VPC to communicate with each other, via automatically-created and managed routes.

Every time you create a Private Network in a VPC in which you have activated routing, a managed route is automatically created and added to the VPC’s route table. This route allows the VPC to automatically route packets to resources attached to that Private Network, even if they originate from a resource attached to a different Private Network on the VPC.

Managed routes are also automatically added to the VPC’s routing table when you attach a Public Gateway to a Private Network, and tell it to advertise the default route. This type of managed route allows traffic to be forwarded to addresses outside the VPC (i.e. the public internet) via the Public Gateway.


Public Gateways remain scoped to the Private Network to which they are attached. They do not advertise the default route on other Private Networks in the VPC. For example, an Instance attached to Private Network A will not be able to access the internet via a Public Gateway in Private Network B.

Note that routing cannot be deactivated after creation of the VPC. More routing features are planned for the future, including custom routes, routing on existing VPCs and more.

Read more about how routing works in the route table concept, or learn how you can activate this feature in our how-to guide. To understand the current limitations of the feature, see the limitations documentation.


VPC allows you to build your own Virtual Private Cloud on top of Scaleway’s shared public cloud. Within each VPC, you can create Private Networks and attach Scaleway resources to them, as long as the resources are in an AZ within the network’s region.

One default VPC for every available region is automatically created in each Scaleway Project.

VPC currently comprises the Private Networks product. Layer 2 Private Networks sit inside the layer 3 VPC.

More features and resources will be coming to VPC in the future.

Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway