Skip to navigationSkip to main contentSkip to footerScaleway DocsSparklesIconAsk our AI
SparklesIconAsk our AI
ProfileOutlineIcon Log inSign up

Establishing a Site-to-Site VPN between Scaleway and AWS

This tutorial explains how to establish a dynamic Site-to-Site (S2S) VPN between Scaleway and AWS using the Scaleway Managed VPN Gateway.

The configuration uses:

  • IPsec over IKEv2
  • BGP for dynamic routing
  • Route propagation between both environments

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account with permissions to manage VPC and VPN resources
  • An AWS account with permissions to manage VPC and VPN resources
  • A VPC configured in both Scaleway and AWS
  • Administrative access to configure both environments

Architecture overview

The connection is established between:

  • A Scaleway Managed VPN Gateway
  • An AWS Virtual Private Gateway
  • A BGP session over an IPsec tunnel

Routes are dynamically exchanged between:

  • Scaleway Private Network CIDR (example: 172.16.64.0/22)
  • AWS VPC CIDR (example: 172.31.0.0/16)

Creating the Scaleway VPN Gateway

  1. Create or select a VPC in the Scaleway console.
  2. Create a Private Network within the VPC.
  3. Deploy a Managed VPN Gateway attached to that Private Network.
  4. Note the following information:
    • The public IPv4 address of the Scaleway VPN Gateway (e.g., 163.172.175.212).
    • The Scaleway ASN: 12876.
Creation of a Managed VPN Gateway on Scaleway

Configuring AWS

Create the AWS Customer Gateway

  1. Create a Customer Gateway in the AWS console.
  2. Configure the following parameters:
    • Type: IPsec.
    • IP address: The public IP of your Scaleway VPN Gateway.
    • BGP ASN: 12876.
Creation of AWS Customer Gateway referencing the Scaleway VPN Gateway

Create the AWS Virtual Private Gateway

  1. Create a Virtual Private Gateway and attach it to your AWS VPC.

  2. Configure an ASN (e.g., 65000).

    Creation of AWS Virtual Private Gateway
    InformationOutlineIcon
    Note

    The ASN configured here must match the ASN defined later in the Scaleway Customer Gateway configuration.

Create the AWS VPN connection

  1. Create a new VPN Connection using the following settings:

    • Routing Priority: Dynamic (requires BGP).
    • Virtual Private Gateway: Select the gateway created above.
    • Customer Gateway: Select the gateway created in the previous step.
    Creation of VPN Connection on AWS

  2. After the connection is created, collect the following details:

    • Tunnel public IP (e.g., 13.37.176.32).
    • BGP peer private IP (e.g., 169.254.162.101).
    • Download the Generic configuration file for reference.
    Downloading the AWS VPN connection configuration file

Creating the Scaleway Customer Gateway

In the Scaleway console, create a Customer Gateway using:

  • Public IP: The AWS tunnel public IP.
  • ASN: The ASN defined on the AWS Virtual Private Gateway (e.g., 65000).
Creation of Customer Gateway on Scaleway referencing AWS

Configuring BGP routing policy

Define a routing policy in Scaleway to control traffic:

  • Prefix filter in: Enter your AWS VPC CIDR.
  • Prefix filter out: Enter your Scaleway Private Network CIDR.
Creation of VPN routing policy on Scaleway

This ensures that only authorized routes are exchanged.

Configuring the VPN connection in Scaleway

  1. Attach the Scaleway VPN Gateway.

  2. Attach the AWS Customer Gateway.

  3. Enable Route propagation.

  4. Select the Routing policy created in the previous step.

    Creation of VPN connection on Scaleway

  5. Configure the BGP settings:

    • Provide a private IP within the AWS inside CIDR range.
    • Provide the AWS BGP peer private IP.
    AlertCircleIcon
    Important

    Both IP addresses must belong to the same /30 subnet provided by AWS in the configuration file.

Retrieving and configuring the pre-shared key (PSK)

Scaleway automatically generates a PSK and stores it in Secret Manager when the VPN connection is created.

List the generated VPN secret

Use the Scaleway CLI to find your secret:

scw secret secret list region=fr-par -o json | jq .

Access and decode the PSK

  1. Retrieve the Base64-encoded secret value using the id from the previous step:

    scw secret version access <SECRET_ID> revision=latest region=fr-par

  2. Decode the value to obtain your cleartext PSK:

    echo '<BASE64_PSK>' | base64 -d

Update the pre-shared key

Access your VPN Tunnel settings in the AWS Console and update the pre-shared key with the decoded value.

Updating the AWS tunnel pre-shared key

Aligning IPsec parameters

Both environments must use identical IPsec settings for the tunnel to establish.

ParameterValue
IKE VersionIKEv2
Phase 1 EncryptionAES-256
Phase 1 IntegritySHA2-256
Phase 1 DH Group14 (MODP2048)
Phase 2 EncryptionAES-256
Phase 2 IntegritySHA2-256
Phase 2 DH Group14
Startup Action (AWS)Start

Verifying the connection

On AWS

In the Tunnel Details tab, verify the following statuses:

  • State: up
  • BGP: Established

On Scaleway

In the VPN connection dashboard, verify the following statuses:

  • TunnelStatus: up
  • BgpStatusIPv4: up
Scaleway VPN connection status

Result

You have successfully established a dynamic Site-to-Site VPN between Scaleway and AWS using:

  • Managed VPN Gateway
  • BGP route exchange
  • Secure IPsec encryption
  • Dynamic route propagation between VPCs

Your VPCs can now communicate securely using BGP for automated route management.

Still need help?

Create a support ticketArrowRightIcon
SearchIcon
No Results