Skip to navigationSkip to main contentSkip to footerScaleway DocsSparklesIconAsk our AI
SparklesIconAsk our AI
ProfileOutlineIcon Log inSign up

Establishing a Site-to-Site VPN between Scaleway and AWS with Terraform

This tutorial explains how to establish a dynamic Site-to-Site (S2S) VPN between Scaleway and AWS using the Scaleway Managed VPN Gateway and Terraform.

The configuration uses:

  • IPsec over IKEv2
  • BGP for dynamic routing
  • Route propagation between both environments

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • An AWS account with appropriate permissions
  • Installed Terraform on your local machine
  • Installed and configured the Scaleway CLI (optional, for verification)

Refer to our dedicated repository to see the full code.

Initializing the Scaleway network

The networking foundation is established on Scaleway first to generate the public IP address required by AWS.

Key Terraform resources:

  • scaleway_vpc & scaleway_vpc_private_network
  • scaleway_s2s_vpn_gateway (Type: VGW-S)
CheckCircleOutlineIcon
Tip

Ensure you output the Public IP of the gateway, as AWS requires this to create the Customer Gateway object.

# Example output to use in AWS configuration
output "vpn_gateway_public_ip" {
  value = data.scaleway_ipam_ip.vpn_gw_public_ip.address
}

Configuring the AWS network and Customer Gateway

Configure the AWS side using the Public IP obtained from Step 1.

Key Terraform resources:

  • aws_vpc & aws_subnet
  • aws_vpn_gateway (The AWS side of the VPN)
  • aws_customer_gateway (The representation of the Scaleway side)

Required settings:

  • BGP ASN for Scaleway: 12876 (Set this in the aws_customer_gateway resource).
  • BGP ASN for AWS: 65000 (Default for AWS Virtual Private Gateway).

Configuring the VPN tunnel

Encryption and BGP parameters must be aligned exactly. Mismatched settings result in a DOWN status.

  1. Encryption Alignment (IKEv2): The aws_vpn_connection and scaleway_s2s_vpn_connection resources must match:

    • Encryption: AES-256
    • Integrity: SHA2-256
    • DH Group: 14 (MODP2048)

  2. BGP Peering (Inside IPs): Define a /30 Link-Local subnet (e.g., 169.254.131.116/30).

    • AWS Side: Assigned the first available IP (e.g., .117).
    • Scaleway Side: Assigned the second available IP (e.g., .118).
AlertCircleIcon

If these IPs are swapped, the BGP session will not established.

Retrieving the PSK and update AWS

Scaleway automatically generates a secure Pre-Shared Key (PSK) in Secret Manager when the VPN connection resource is created. This key must be extracted to finalize the AWS configuration.

  1. Retrieve the PSK using the Terraform output:

    terraform output -json scw_vpn_psk

  2. Copy the value of the key and update your Terraform variables (e.g., in terraform.tfvars):

    scw_vpn_psk = "<PASTE_YOUR_KEY_HERE>"

  3. Run terraform apply to update the aws_vpn_connection resource with the correct authentication key.

    terraform apply

Verifying the connection

Once the Terraform apply is complete, verify the health of the connection.

Using the Scaleway CLI

  1. Get the Connection ID:

    scw s2s-vpn connection list

  2. Check the status:

    scw s2s-vpn connection get <CONNECTION_ID>

The output should return the following values:

  • TunnelStatus: up
  • BgpStatusIPv4: up

Using the AWS console

Navigate to VPC > Site-to-Site VPN Connections. The Tunnel State should show as UP, and the Details tab should indicate 1 BGP ROUTE.

Result

You have successfully established a dynamic Site-to-Site VPN between Scaleway and AWS using:

  • Managed VPN Gateway
  • BGP route exchange
  • Secure IPsec encryption
  • Dynamic route propagation between VPCs
Still need help?

Create a support ticketArrowRightIcon
SearchIcon
No Results