What is a Public Gateway?

Public Gateways sit at the border of Private Networks. They provide services to deal with traffic entering and exiting the network (NAT), and SSH bastion. A Public Gateway can be attached to up to 8 Private Networks, and up to 50 Public Gateways are supported per Organization.

The Public Gateway can be configured through the console or the API.

Does the Public Gateway require a public IPv4 address?

No. A public IPv4 address (aka. flexible IP) must be assigned to the Public Gateway at creation time, but you can detach it and delete it afterward if you do not require it to be publically accessible.

Can my Instances and other resources access the internet via a Public Gateway without a public IP address?

Yes. The Public Gateway can advertize itself as the default route to the internet over the Private Network it is attached to, so that Instances and other resources on the same Private Network, can access the internet via the gateway. Moreover, the Public Gateway supports static NAT (aka. port forwarding), so that ingress traffic from the public internet can reach Instances on the Private Network. This works by mapping pre-defined ports of the public IP address of the gateway to specific ports and IP addresses on the Private Network.

What happened to static leases (DHCP reservations) when DHCP moved from the Public Gateway to Private Networks?

On 12 July 2023, DHCP functionality moved from Public Gateways to Private Networks. See our dedicated migration documentation for full details.

Pre-existing static leases created via the Public Gateway were fully migrated and still work for your attached resources on a Private Network. Manual static lease configuration is still available via the API and other devtools, but is no longer available via the Scaleway console. We recommend that you use Scaleway IPAM to reserve private IP addresses on specific Private Networks, which you can then use when attaching resources.

Why is my Public Gateway labelled as Legacy?

Legacy Public Gateways use a workaround to ensure compatiblity with Scaleway’s IPAM (I P Address Management) tool. IPAM acts as a single source of truth for the IP addresses of Scaleway resources

Your gateway is probably a legacy gateway if you created it prior to 17 October 2023. These gateways will continue to function, but are not natively integrated with IPAM, and you cannot take advantage of features such as IP management via Scaleway IPAM, or fully-isolated Kubernetes Kapsules. You should create a new gateway if you want to benefit from such features.

Do I need a Public Gateway for each Availability Zone (AZ)?

VPC and Private Networks are both regional, meaning they span all AZs across a given region. Even though Public Gateways are zoned and not regional, one Public Gateway attached to a regional Private Network is functionally enough, and will cover the whole region. That is to say a Public Gateway created in PAR-1 can serve Instances in PAR-2 and PAR-3, as long as they are all attached to the same PAR-region Private Network.

How can I achieve truly High Availability (HA) networking when the Public Gateway is a zoned resource?

Notwithstanding the answer to the previous question, if you have a single Public Gateway in, for example, PAR-1, serving resources from other AZs on the same Private Network and there is an outage in the PAR-1 zone, the gateway will not be able to serve the resources from other unaffected AZs. We are working to improve and develop our Public Gateway product to counteract this.

In the meantime, if this is a concern, you could consider attaching several Public Gateways from different AZs to a single Private Network, each advertising a default route to the internet. As long as you are using a recent kernel (e.g. Ubuntu Jammy, Debian bookworm), the traffic will be spread across the different gateways. In the case of an outage in one AZ, you will only lose the gateway in that zone, and the others will continue to serve traffic.

I need more than 1Gbps bandwidth for my Public Gateway, what can I do?

We have introduced a VPC-GW-L offer with 3Gbps bandwidth to accommodate customers with this type of need. For pricing details, see our dedicated page. You can upgrade your existing Public Gateway to this new offer via the Public Gateways API or the Scaleway console.