Site-to-Site VPN - Concepts
ASN
An Autonomous System Number (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. When creating a customer gateway, you are asked to provide its ASN, to enable dynamic routing using BGP across the VPN. Each BGP peer must have a unique ASN to identify its routing domain.
Border Gateway Protocol (BGP)
Border Gateway Protocol is a standardized gateway protocol that allows autonomous systems to exchange routing information. Site-to-Site VPN uses BGP to facilitate route propagation, so that the VPC gateway and the customer gateway can learn each other's routes.
BGP session
A BGP session is a dynamic routing connection between a customer gateway and a VPN gateway. It uses the Border Gateway Protocol to exchange routing information in real time. It enables automatic updates to network paths, ensuring resilient and adaptive communication across a site-to-site VPN tunnel.
Connection
A connection represents the configuration of a secure link between a VPN gateway and a customer gateway. It defines all the characteristics of the Site-to-Site VPN tunnel between the two, including routing policy and encryption method.
Customer gateway
A customer gateway is a logical resource representing the physical or virtual gateway device on the customer (remote) side of a Site-to-Site VPN tunnel.
Customer gateway device
A customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device.
IPsec
Internet Protocol Security (IPsec) is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a data stream. In the context of Scaleway Site-to-Site VPN, IPsec provides end-to-end security for traffic flowing through the VPN tunnel between a VPN gateway and a customer gateway.
Pre-shared key (PSK)
A pre-shared key (PSK) is a shared secret string, generated by Scaleway and known by both the VPN gateway and customer gateway. It is used to verify the identity of both gateways and establish secure, encrypted communication between them. Each PSK generated for Site-to-Site VPN is securely stored in Scaleway Secret Manager.
Routing policy
By default, all routes across a VPN connection are blocked. A routing policy allows you to set filters to define the IP prefixes to allow. You can whitelist multiple outgoing routes and multiple incoming routes per policy.
Route propagation
Route propagation can be activated or deactivated on each VPN connection. When activated, route propagation launches BGP sessions, so the customer gateway and VPN gateway can dynamically exchange route information using the attached routing policies. This allows traffic to flow over the connection. When route propagation is deactivated, no traffic can flow.
Security proposal
A security proposal (aka IPSec proposal) defines the encryption and authentication methods used to secure an IPSec VPN tunnel. You must define a security proposal when creating a VPN connection.
Site-to-Site VPN
Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security (IPsec).
Tunnel
A VPN connection creates a VPN tunnel between a customer gateway and a VPN gateway. This tunnel is established between the two gateways' public IPv4 or IPv6 addresses. The tunnel is secured with IPsec, and traffic can securely flow through it.
VPN gateway
A VPN gateway is a managed resource that acts as a connection point on the Scaleway side of your Site-to-Site VPN tunnel. Each connection within the gateway represents an IPsec tunnel towards a customer gateway, established over the public internet. A single VPN gateway can host multiple connections.