Getting Started with the VPC Public Gateway

VPC Public Gateway Overview

Virtual Private Cloud (VPC) provides network functionalities for your Scaleway cloud. VPC products include:

  • Private Networks, enabling you to build a virtual Layer 2 network between your instances. This means your virtual instances can communicate in an isolated and secure network.
  • Public Gateway, enabling IP autoconfiguration of your private networks and facilitating their communication with the Internet.

In this documentation, we explain some of the core concepts related to the VPC Public Gateway, and describe how to use the VPC Public Gateway product from the Scaleway console.

Requirements:

Core Concepts

Private Networks

Public Gateways sit at the border of private networks. They provide services to automate the allocation of private IP addresses (DHCP) and deal with traffic entering and exiting the network (NAT). You can add a Public Gateway to each of your private networks.

Flexible IP

In order to communicate with the Internet, the Public Gateway must be assigned a public IP address. This address is picked from a pool of addresses called Flexible IPs. Flexible IPs can be attached to and detached from Public Gateways at your convenience. A Flexible IP is required for each active Public Gateway.

DHCP

Dynamic Host Configuration Protocol (DHCP) is a network management protocol for dynamically assigning IP addresses and other configuration parameters to instances in the private network.

A pool of available IP addresses (range) is dynamically shared between instances in the private network. This eliminates the need for users to manually assign IP addresses to their devices as they join or leave the network. Static associations can also be configured to assign specific IP addresses to specific instances, according to their MAC addresses.

It is possible to advertise a default route through the Public Gateway, so that instances on the private network can reach the public Internet thanks to the Public Gateway’s NAT functionality.

Finally, the address of a DNS server can be advertised. This is set by default to the Public Gateway’s IP address and will allow to contact instances in the private network based on their names.

Note: Newer instances support DHCP auto-configuration, learning their IP address and the default route through the gateway automatically. However, older instances may require manual configuration. You should refer to our more advanced documentation for further clarification on these points, and instructions for manual configuration.

NAT

Private IP addresses are not routable on the public Internet. Therefore, instances on a private network require a Network Address Translation (NAT) to communicate with the public Internet.

NAT maps private IP addresses in the private network to the public IP address of the Public Gateway. This can then be used to route traffic to and from multiple devices within the private network.

  • Dynamic NAT enables egress traffic from the private network to the public Internet by dynamically, automatically mapping the outgoing traffic IP addresses and ports with the public IP address and ports of the gateway.

  • Static NAT enables ingress traffic from the public Internet towards instances on the private network by mapping pre-defined ports of the public IP address of the gateway to specific ports and IP addresses on the private network.

DNS

The Public Gateway acts as a local DNS server for the instances of a private network, resolving the instances’ IP addresses into their hostname.

Creating a VPC Public Gateway

1 . In the console, click on VPC under the Network category in the product sidebar. You are taken to the VPC creation page:

2 . Click Create a new Public Gateway to launch the Public Gateway creation wizard:

3 . The wizard will now guide you through the configuration of your Public Gateway. Complete the following configuration steps:

  • Choose an Availability Zone: This is the geographical location in which your Public Gateway will be created. Note that in order to attach a Public Gateway to a Private Network, they must be in the same Availability Zone.

  • Select a Public Gateway Type: The type of Public Gateway you choose will impact the pricing and bandwidth of your Gateway.

  • Select an IP: You can choose to assign one of your existing Flexible IPs to your Public Gateway. Otherwise, a new IP will be automatically assigned here.

Note: Public Gateway Flexible IPs are dedicated IPs in the same way as those for Instances. Note that both sets of Flexible IP are independent. Instance Flexible IPs cannot be attached to Public Gateways and vice versa.

  • Enter a Name and Optional Tags: Enter a name for your Public Gateway, and (optionally) a description and tags.

4 . Click : Create a Public Gateway

You are taken to your Public Gateways page. You should see the name of the gateway you just created, in this case “pgw-sharp-lederberg”:

Your Public Gateway has now been created.

Attaching a Public Gateway to a Private Network

1 . Ensure that you have already created a Public Gateway

2 . In the console, navigate to the Public Gateways section (click on VPC under the Network category in the product sidebar, then select the Public Gateways tab):

3 . Click on the Public Gateway you want to attach to a Private Network. You are taken to the Overview page for that Gateway.

4 . Click on the Private Networks tab. A list of Private Networks attached to the Public Gateway displays. If no Private Networks are attached, the list will be empty, as below:

5 . Click on the green + sign to attach a new Private Network to the Public Gateway. The following pop-up displays:

6 . Choose to attach an existing or a new Private Network. The default parameters should be appropriate for most cases (DHCP enabled, subnet automatically computed, NAT enabled). However, if you wish you can alter them now, or later once you have attached the Public Gateway.

  • If you want to attach an existing Private Network, select Attach an existing Private Network and choose the desired network from the drop-down list.

Note: Only Private Networks which are in the same Availability Zone as the Public Gateway will be displayed in this list.

  • If you want to create and attach a new Private Network, select Attach a new Private Network. A default name will be suggested for you, but feel free to overwrite this with a new name of your choice.

  • Choose whether to Enable or Disable the DHCP server:
    • Enable DHCP: The Public Gateway will dynamically assign IP addresses to instances in the private network. Enabling DHCP also enables the advertisement of a default route and DNS server through the Public Gateway. Both of these options can be disabled later.
    • Disable DHCP: None of the above functionalities will be applied.
  • Choose the subnet you would like to use for this network, e.g. 192.168.42.0/24. You may find the note here helpful if you are having difficulty choosing a subnet.

  • Choose whether to Enable or Disable Dynamic NAT:
    • Enable Dynamic NAT: Private IP addresses in the private network are automatically mapped to the public IP address of the Public Gateway, enabling automatic routing of egress traffic to and from multiple devices within the private network. Note: you will also be able to configure static NAT settings for ingress traffic.
    • Disable Dynamic NAT: The above functionality is not applied.

7 . Click on Attach a Private Network to finish. You are taken back to the Private Networks tab, where the network you attached now appears, along with the services configured and the IP address of the Public Gateway.

Your Private Network is now attached to your Public Gateway. You can repeat the steps above to attach more Private Networks to the same Public Gateway if you wish.

Reviewing and reconfiguring DHCP

You can review and (if you wish) modify the DHCP configuration of an existing Public Gateway as follows:

1 . From the VPC Public Gateways page of the console, click the Public Gateway whose configuration you wish to modify.

You are taken to the Overview page for that Gateway.

2 . Click on the DHCP tab. The following page displays:

3 . DHCP is configured per private network. Select a private network from the drop-down menu to review its configuration.

  • Toggle to View DHCP Status to view the current MAC/IP associations (aka DHCP leases).
  • Toggle to Configure DHCP and click Edit to modify the network’s DHCP configuration.

4 . You can now modify the following configuration parameters:

  • Enable or disable the DHCP server
  • Change the advertised subnet by specifying a subnet address with a mask. Click Auto to automatically compute a /24 subnet. The minimum subnet size is /28. The Public Gateway is assigned the first address of the subnet.
  • Enable or disable the advertisement of a default route through the Public Gateway
  • Enable or disable the advertisement of a DNS server. By default, the Public Gateway’s IP address is specified, which allows instance names to be resolved to their allocated IP addresses. You can also specify the address of a DNS server of your choice. Clicking Auto will reset this to the Public Gateway’s IP address.

  • Modify the dynamic range used to dynamically assign IP addresses to devices on the network. This range should fall within the configured subnet and should not overlap with the static associations.
  • Create or delete static associations to assign IP addresses based on the MAC addresses of the instance. Statically assigned IP addresses should fall within the configured subnet, but be outside the dynamic range.

5 . When you’ve finished your modifications, click the green check button to save your configuration:

Your modifications have been saved.

Note: Newer instances support DHCP auto-configuration, learning their IP address and the default route through the gateway automatically. However, older instances may require manual configuration. You should refer to our more advanced documentation for further clarification on these points, and instructions for manual configuration.

Reviewing and reconfiguring NAT

You can review and (if you wish) modify the NAT configuration of an existing Public Gateway as follows:

1 . From the VPC Public Gateways page of the console, click the Public Gateway whose configuration you wish to modify.

You are taken to the Overview page for that Gateway.

2 . Click on the NAT tab. The following page displays, allowing you to review your NAT configuration:

3 . In the Dynamic NAT panel, toggle Dynamic NAT on or off for each Private Network attached to this Public Gateway, as you wish.

4 . In the Static NAT panel, click on Add Static NAT to add a new configuration for any Private Network attached to this Gateway. The following screen displays:

5 . Add the following information for your new static NAT configuration:

  • Protocol: Choose TCP, UDP or Both from the drop-down menu
  • Public Port: Choose the Public Gateway port you want to use for this mapping
  • Private IP address: Enter the Private IP address of the instance you want to map to. This should be included within one of the configured subnets of an attached private network. Usually, a static DHCP association is used too, to make sure this address does not change.
  • Private Port: Choose which of the instance’s ports you want to map to.

6 . When you have finished, click on the green checkmark button to save the configuration:

Your new static NAT configuration is now saved, and displays on the NAT panel:

You can repeat steps 4-6 to add new static NAT configurations as you wish.

Going further

For more information about the VPC Public Gateway, including troubleshooting information, advice on instance configuration and more advanced tips, refer to Going further with the VPC Public Gateway

Discover the Cloud That Makes Sense