Skip to navigationSkip to main contentSkip to footerScaleway DocsSparklesIconAsk our AI
SparklesIconAsk our AI
ProfileOutlineIcon Log inSign up

Establishing a Site-to-Site VPN between Scaleway and AWS with Terraform

vpnipsecbgpawshybrid-cloud

This tutorial explains how to establish a dynamic Site-to-Site (S2S) VPN between Scaleway and AWS using the Scaleway Managed VPN Gateway and Terraform.

The configuration uses:

  • IPsec over IKEv2
  • BGP for dynamic routing
  • Route propagation between both environments

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • An AWS account with appropriate permissions
  • Terraform installed on your local machine
  • Scaleway CLI installed and configured (optional, for verification)

See the full code example: github.com/scaleway/site-to-site-vpn-aws-scw

Step 1 - Initialize the Scaleway network

The networking foundation is established on Scaleway first to generate the public IP address required by AWS.

Key Terraform resources:

  • scaleway_vpc & scaleway_vpc_private_network
  • scaleway_s2s_vpn_gateway (Type: VGW-S)
CheckCircleOutlineIcon
Tip

Ensure you output the Public IP of the gateway, as AWS requires this to create the Customer Gateway object.

# Example output to use in AWS configuration
output "vpn_gateway_public_ip" {
  value = data.scaleway_ipam_ip.vpn_gw_public_ip.address
}

Step 2 - Configure the AWS network and Customer Gateway

Configure the AWS side using the Public IP obtained from Step 1.

Key Terraform resources:

  • aws_vpc & aws_subnet
  • aws_vpn_gateway (The AWS side of the VPN)
  • aws_customer_gateway (The representation of the Scaleway side)

Required settings:

  • BGP ASN for Scaleway: 12876 (Set this in the aws_customer_gateway resource).
  • BGP ASN for AWS: 65000 (Default for AWS Virtual Private Gateway).

Step 3 - Configure the VPN tunnel

Encryption and BGP parameters must be aligned exactly. Mismatched settings result in a DOWN status.

  1. Encryption Alignment (IKEv2): The aws_vpn_connection and scaleway_s2s_vpn_connection resources must match:
  • Encryption: AES-256
  • Integrity: SHA2-256
  • DH Group: 14 (MODP2048)
  1. BGP Peering (Inside IPs): Define a /30 Link-Local subnet (e.g., 169.254.131.116/30).
  • AWS Side: Assigned the first available IP (e.g., .117).
  • Scaleway Side: Assigned the second available IP (e.g., .118).
AlertCircleIcon

If these IPs are swapped, the BGP session will not establish.

Step 4 - Retrieve the PSK and update AWS

Scaleway automatically generates a secure Pre-Shared Key (PSK) in Secret Manager when the VPN connection resource is created. This key must be extracted to finalize the AWS configuration.

  1. Retrieve the PSK using the Terraform output:
terraform output -json scw_vpn_psk
  1. Copy the value of the key and update your Terraform variables (e.g., in terraform.tfvars):
scw_vpn_psk = "<PASTE_YOUR_KEY_HERE>"
  1. Run terraform apply to update the aws_vpn_connection resource with the correct authentication key.
terraform apply

Step 5 - Verify the connection

Once the Terraform apply is complete, verify the health of the connection.

Using the Scaleway CLI

  1. Get the Connection ID:
scw s2s-vpn connection list
  1. Check the status:
scw s2s-vpn connection get <CONNECTION_ID>

The output should show:

  • TunnelStatus: up
  • BgpStatusIPv4: up

Using the AWS console

Navigate to VPC > Site-to-Site VPN Connections. The Tunnel State should show as UP and the Details tab should indicate 1 BGP ROUTE.

Result

You have successfully established a dynamic Site-to-Site VPN between Scaleway and AWS using:

  • Managed VPN Gateway
  • BGP route exchange
  • Secure IPsec encryption
  • Dynamic route propagation between VPCs
Questions?

Visit our Help Center and find the answers to your most frequent questions.

Visit Help CenterArrowRightIcon
SearchIcon
No Results