From 5e1098c963d556b69743de6993e9b1bd17179a1e Mon Sep 17 00:00:00 2001 From: Rowena Date: Mon, 1 Dec 2025 18:02:38 +0100 Subject: [PATCH 1/4] feat(s2svpn): public beta --- pages/site-to-site-vpn/concepts.mdx | 28 +++++++++++++++++++ pages/site-to-site-vpn/faq.mdx | 8 ++++++ pages/site-to-site-vpn/index.mdx | 4 +-- pages/site-to-site-vpn/quickstart.mdx | 8 ++++++ .../reference-content/index.mdx | 1 - .../reference-content/security-proposals.mdx | 3 +- .../reference-content/statuses.mdx | 3 +- .../understanding-s2svpn.mdx | 5 ++-- 8 files changed, 50 insertions(+), 10 deletions(-) create mode 100644 pages/site-to-site-vpn/concepts.mdx create mode 100644 pages/site-to-site-vpn/faq.mdx create mode 100644 pages/site-to-site-vpn/quickstart.mdx diff --git a/pages/site-to-site-vpn/concepts.mdx b/pages/site-to-site-vpn/concepts.mdx new file mode 100644 index 0000000000..9ecee83b03 --- /dev/null +++ b/pages/site-to-site-vpn/concepts.mdx @@ -0,0 +1,28 @@ +--- +title: Site-to-Site VPN - Concepts +description: Understand the core concepts behind Scaleway's Site-to-Site VPN, including VPN and customer gateways, security proposals, routing policies and more. +tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy +dates: + creation: 2025-12-05 + validation: 2025-12-05 +--- + +## ASN + +An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. When creating a customer gateway, you are asked to provide its ASN, to enable dynamic routing using [BGP](#bgp) across the VPN. Each BGP peer must have a unique ASN to identify its routing domain. + +## BGP + +**B**order **G**ateway **P**rotocol + +## Connection +## Customer gateway +## Customer gateway device +## Gateway type +## IP address +## Routing policy +## Route propagation +## Security proposal +## Site-to-Site VPN +## Tunnel +## VPN gateway \ No newline at end of file diff --git a/pages/site-to-site-vpn/faq.mdx b/pages/site-to-site-vpn/faq.mdx new file mode 100644 index 0000000000..46df30cb2a --- /dev/null +++ b/pages/site-to-site-vpn/faq.mdx @@ -0,0 +1,8 @@ +--- +title: Site-to-Site VPN - FAQ +description: Find answers to frequently asked questions about Scaleway Site-to-Site VPN, including setup, troubleshooting, compatibility, and best practices for secure, reliable connectivity. +tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy +dates: + creation: 2025-12-05 + validation: 2025-12-05 +--- \ No newline at end of file diff --git a/pages/site-to-site-vpn/index.mdx b/pages/site-to-site-vpn/index.mdx index 1347f915eb..8e9f09060b 100644 --- a/pages/site-to-site-vpn/index.mdx +++ b/pages/site-to-site-vpn/index.mdx @@ -6,9 +6,9 @@ noindex: true - Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn). + Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). diff --git a/pages/site-to-site-vpn/quickstart.mdx b/pages/site-to-site-vpn/quickstart.mdx new file mode 100644 index 0000000000..c8ba5e96a5 --- /dev/null +++ b/pages/site-to-site-vpn/quickstart.mdx @@ -0,0 +1,8 @@ +--- +title: Site-to-Site VPN - Quickstart +description: Get started quickly with Scaleway Site-to-Site VPN. Follow our step-by-step guide to configure and deploy a secure connection between your network and Scaleway VPC in minutes. +tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy +dates: + creation: 2025-12-05 + validation: 2025-12-05 +--- \ No newline at end of file diff --git a/pages/site-to-site-vpn/reference-content/index.mdx b/pages/site-to-site-vpn/reference-content/index.mdx index 2f33d51766..e17eb89378 100644 --- a/pages/site-to-site-vpn/reference-content/index.mdx +++ b/pages/site-to-site-vpn/reference-content/index.mdx @@ -1,5 +1,4 @@ --- title: Site-to-Site VPN - Additional content description: Site-to-Site VPN additional content -noindex: true --- diff --git a/pages/site-to-site-vpn/reference-content/security-proposals.mdx b/pages/site-to-site-vpn/reference-content/security-proposals.mdx index 9d56ca6c14..66ba242050 100644 --- a/pages/site-to-site-vpn/reference-content/security-proposals.mdx +++ b/pages/site-to-site-vpn/reference-content/security-proposals.mdx @@ -1,7 +1,6 @@ --- title: Site-to-Site VPN security proposals description: Find out what the different encryption and authentication ciphers available with Scaleway Site-to-Site VPN, and how to to choose the best algorithm for your use case. -noindex: true tags: vpn connection encryption authentication security cipher security-proposal dates: validation: 2025-06-03 @@ -9,7 +8,7 @@ dates: --- -Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn). +Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). When creating a VPN [connection](/site-to-site-vpn/reference-content/understanding-s2svpn/#connection), you must define a **security proposal** (aka IPSec proposal). The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel. diff --git a/pages/site-to-site-vpn/reference-content/statuses.mdx b/pages/site-to-site-vpn/reference-content/statuses.mdx index 2e63ed93c4..5dc1e9360b 100644 --- a/pages/site-to-site-vpn/reference-content/statuses.mdx +++ b/pages/site-to-site-vpn/reference-content/statuses.mdx @@ -1,7 +1,6 @@ --- title: Understanding Site-to-Site VPN statuses description: Find out what the different possible statuses of your Site-to-Site VPN gateways and connections mean, and how to take action based on these statuses when necessary. -noindex: true tags: vpn gateway customer remote connection status dates: validation: 2025-06-03 @@ -9,7 +8,7 @@ dates: --- -Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn). +Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). ## VPN gateway statuses diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx index b5aa80cad0..969d573547 100644 --- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx +++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx @@ -1,7 +1,6 @@ --- title: Understanding Site-to-Site VPN description: Dive deeper into understanding Scaleway's Site-to-Site VPN offer, with technical diagrams, explanations and more. -noindex: true tags: vpn gateway customer infrastructure connection encryption dates: validation: 2025-06-03 @@ -15,7 +14,7 @@ import image5 from './assets/scaleway-vpn-tunnel-detail.webp' -Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn). +Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). ## Site-to-Site VPN overview @@ -161,7 +160,7 @@ Use [Network ACLs](/vpc/reference-content/understanding-nacls/) if you want to l ## Site-to-Site VPN limitations -- Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the [Scaleway API](https://www.scaleway.com/en/betas/#site-to-site-vpn) +- Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). - You cannot use Site-to-Site VPN to connect two Scaleway VPCs - You cannot modify the Private Network that a VPN is connected to after creation - You must use the auto-generated pre-shared key (PSK) for a VPN connection: you cannot currently define your own PSK From 6490117996b126026fa10e8efbc06b0d8722cec2 Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 2 Dec 2025 12:23:00 +0100 Subject: [PATCH 2/4] feat(s2svpn): finished public beta doc --- pages/site-to-site-vpn/concepts.mdx | 42 +++++++++++++++++++++++---- pages/site-to-site-vpn/faq.mdx | 30 ++++++++++++++++++- pages/site-to-site-vpn/quickstart.mdx | 6 +++- 3 files changed, 71 insertions(+), 7 deletions(-) diff --git a/pages/site-to-site-vpn/concepts.mdx b/pages/site-to-site-vpn/concepts.mdx index 9ecee83b03..fd0105be76 100644 --- a/pages/site-to-site-vpn/concepts.mdx +++ b/pages/site-to-site-vpn/concepts.mdx @@ -11,18 +11,50 @@ dates: An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. When creating a customer gateway, you are asked to provide its ASN, to enable dynamic routing using [BGP](#bgp) across the VPN. Each BGP peer must have a unique ASN to identify its routing domain. -## BGP +## Border Gateway Protocol (BGP) -**B**order **G**ateway **P**rotocol +**B**order **G**ateway **P**rotocol is a standardized gateway protocol that allows autonomous systems to exchange routing information. Site-to-Site VPN uses BGP to facilitate route propagation, so that the VPC gateway and the customer gateway can learn each other's routes. ## Connection + +A connection represents the configuration of a secure link between a VPN gateway and a customer gateway. It defines all the characteristics of the Site-to-Site VPN tunnel between the two, including routing policy and encryption method. + ## Customer gateway + +A customer gateway is a logical resource representing the physical or virtual gateway device on the customer (remote) side of a Site-to-Site VPN tunnel. + ## Customer gateway device -## Gateway type -## IP address + +A customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device. + +## IPsec + +**I**nternet **P**rotocol **Sec**urity (IPsec) is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a data stream. In the context of Scaleway Site-to-Site VPN, IPsec provides end-to-end security for traffic flowing through the VPN tunnel between a VPN gateway and a customer gateway. + +## Pre-shared key (PSK) + +A pre-shared key (PSK) is a shared secret string, generated by Scaleway and known by both the VPN gateway and customer gateway. It is used to verify the identity of both gateways and establish secure, encrypted communication between them. Each PSK generated for Site-to-Site VPN is securely stored in [Scaleway Secret Manager](/secret-manager/). + ## Routing policy + +By default, all routes across a VPN connection are blocked. A routing policy allows you to set filters to define the IP prefixes to allow. You can whitelist multiple outgoing routes and multiple incoming routes per policy. + ## Route propagation + +Route propagation can be activated or deactivated on each VPN connection. When activated, route propagation launches BGP sessions, so the customer gateway and VPN gateway can dynamically exchange route information using the attached routing policies. This allows traffic to flow over the connection. When route propagation is deactivated, no traffic can flow. + ## Security proposal + +A security proposal (aka IPSec proposal) defines the encryption and authentication methods used to secure an IPSec VPN tunnel. You must define a security proposal when creating a VPN [connection](#connection). + ## Site-to-Site VPN + +Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security (IPsec). + ## Tunnel -## VPN gateway \ No newline at end of file + +A VPN connection creates a VPN tunnel between a customer gateway and a VPN gateway. This tunnel is established between the two gateways' public IPv4 or IPv6 addresses. The tunnel is secured with IPsec, and traffic can securely flow through it. + +## VPN gateway + +A VPN gateway is a managed resource that acts as a connection point on the Scaleway side of your Site-to-Site VPN tunnel. Each [connection](#connection) within the gateway represents an IPsec tunnel towards a [customer gateway](#customer-gateway), established over the public internet. A single VPN gateway can host multiple connections. diff --git a/pages/site-to-site-vpn/faq.mdx b/pages/site-to-site-vpn/faq.mdx index 46df30cb2a..b42bef85d2 100644 --- a/pages/site-to-site-vpn/faq.mdx +++ b/pages/site-to-site-vpn/faq.mdx @@ -5,4 +5,32 @@ tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routin dates: creation: 2025-12-05 validation: 2025-12-05 ---- \ No newline at end of file +--- + +## Overview + +### What is Site-to-Site VPN? + +Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. + +## Specifications + +### How are Site-to-Site VPN tunnels encrypted? + +Site-to-Site VPN connections are secured with Internet Protocol security (IPsec). When creating a VPN [connection](/site-to-site-vpn/reference-content/understanding-s2svpn/#connection), you are prompted to define a **security proposal** (aka IPSec proposal) which defines the precise encryption and authentication methods to secure the tunnel. Read more about security proposals and encryption in our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/). + +## Compatibility and integration + +### Can I use Site-to-Site VPN to connect two Scaleway VPCs? + +No, you cannot use Site-to-Site VPN to connect two Scaleway VPCs. Watch out for our upcoming VPC peering solution for this functionality. + +### Can I use Site-to-Site VPN to connect my Scaleway VPN to another cloud provider? + +Yes, this use case is entirely possible. + +## Pricing and billing + +### How much does Site-to-Site VPN cost? + +Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/) for full details. \ No newline at end of file diff --git a/pages/site-to-site-vpn/quickstart.mdx b/pages/site-to-site-vpn/quickstart.mdx index c8ba5e96a5..f781b21183 100644 --- a/pages/site-to-site-vpn/quickstart.mdx +++ b/pages/site-to-site-vpn/quickstart.mdx @@ -5,4 +5,8 @@ tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routin dates: creation: 2025-12-05 validation: 2025-12-05 ---- \ No newline at end of file +--- + + +Site-to-Site VPN is currently in Public Beta, and available only via the Scaleway API. Read our API-based quickstart in the [Site-to-Site VPN API documentation](https://www.scaleway.com/en/developers/api/site-to-site-vpn/#quickstart) + \ No newline at end of file From 8467cfae23a0da3b5981a9bd47abca2dd0b36dc3 Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 2 Dec 2025 14:54:27 +0100 Subject: [PATCH 3/4] fix(s2svpn): fix --- menu/navigation.ts | 2 ++ pages/site-to-site-vpn/menu.ts | 50 ++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 pages/site-to-site-vpn/menu.ts diff --git a/menu/navigation.ts b/menu/navigation.ts index cae5ef84f4..0e62ef82b4 100644 --- a/menu/navigation.ts +++ b/menu/navigation.ts @@ -58,6 +58,7 @@ import { serverlessContainersMenu } from "../pages/serverless-containers/menu" import { serverlessFunctionsMenu } from "../pages/serverless-functions/menu" import { serverlessJobsMenu } from "../pages/serverless-jobs/menu" import { serverlessSqlDatabasesMenu } from "../pages/serverless-sql-databases/menu" +import { siteToSiteVpnMenu } from "../pages/site-to-site-vpn/menu" import { terraformMenu } from "../pages/terraform/menu" import { topicsAndEventsMenu } from "../pages/topics-and-events/menu" import { transactionalEmailMenu } from "../pages/transactional-email/menu" @@ -207,6 +208,7 @@ export default [ ipamMenu, loadBalancerMenu, publicGatewaysMenu, + siteToSiteVpnMenu, vpcMenu, ], label: 'Network', diff --git a/pages/site-to-site-vpn/menu.ts b/pages/site-to-site-vpn/menu.ts new file mode 100644 index 0000000000..fd0336dd55 --- /dev/null +++ b/pages/site-to-site-vpn/menu.ts @@ -0,0 +1,50 @@ +export const siteToSiteVpnMenu = { + items: [ + { + label: 'Overview', + slug: '../site-to-site-vpn', + }, + { + label: 'Concepts', + slug: 'concepts', + }, + { + label: 'Quickstart', + slug: 'quickstart', + }, + { + label: 'FAQ', + slug: 'faq', + }, + { + items: [ + { + label: 'Site-to-Site VPN API Reference', + slug: 'https://www.scaleway.com/en/developers/api/site-to-site-vpn/', + } + ], + label: 'API/CLI', + slug: 'api-cli', + }, + { + items: [ + { + label: 'Understanding Site-to-Site VPN', + slug: 'understanding-s2svpn', + }, + { + label: 'Site-to-Site VPN Security proposals', + slug: 'security-proposals', + }, + { + label: 'Site-to-Site VPN Statuses', + slug: 'statuses', + }, + ], + label: 'Additional Content', + slug: 'reference-content', + } + ], + label: 'Site-to-Site VPN', + slug: 'site-to-site-vpn', +} From 32b74024cc7fb4247e19dceefe83fab6fee46015 Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 2 Dec 2025 15:17:01 +0100 Subject: [PATCH 4/4] fix(s2svpn): corrected index --- pages/site-to-site-vpn/index.mdx | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pages/site-to-site-vpn/index.mdx b/pages/site-to-site-vpn/index.mdx index 8e9f09060b..9016f15af0 100644 --- a/pages/site-to-site-vpn/index.mdx +++ b/pages/site-to-site-vpn/index.mdx @@ -1,7 +1,6 @@ --- title: Site-to-Site VPN Documentation description: Explore Scaleway Site-to-Site VPN. Connect your Scaleway VPC to your remote infrastructure, via an encrypted, private VPN tunnel. -noindex: true --- + /> +