This document sets out best practices for securing and optimizing public connectivity for your Scaleway resources.
Public vs private connectivity defines how resources are accessed and exposed over networks.
Public connectivity for Instances, Elastic Metal, Load Balancers and Public Gateways is facilitated by a flexible IP address.
Other resource types generally facilitate public connectivity in other ways, e.g. via public endpoints that cannot be modified by the user. Public connectivity may be mandatory with no option to deactivate (e.g. for Apple Silicon), or optional (e.g. for Managed Database). See the specific documentation for the product in question to find out more.
As flexible IP addresses can be moved between resources, they provide the following advantages:
In the future, look out for even more improvements to our flexible IP offering, such as the ability to move flexible IPs between different types of products, and to manage all your public flexible IPs from your IPAM dashboard.
We strongly recommend that you disable public connectivity on all of your Scaleway resources, unless it is absolutely required. Attaching resources to Private Networks, and limiting their communication to these networks brings the following advantages:
Depending on the resource type, public connectivity can be disabled by:
For some products, e.g. Apple Silicon, public connectivity cannot be disabled at any stage, and for other resources, eg Managed Databases for Redis, public connectivity options cannot be modified after resource creation. Check the documentation for your specific product to learn more.
Favor resources such as Public Gateways and Load Balancers to provide access to the public internet over the Private Network. This allows Instances and other attached resources to send and receive packets to the internet through a single, secure point of access. You can use the Public Gateway’s SSH bastion feature to connect to your resource via its private IP address.
Find out more about how to get the most from Private Network in our dedicated documentation
Different products offer different security features and controls to help place limits and restrictions on the traffic arriving over your resource’s public interface. We strongly recommend that you implement all available measures to minimize security risk and optimize the security of your resource. Some of the available security controls are listed below.
Security groups act as firewalls, filtering public internet traffic on your Instances. They can be stateful or stateless, and allow you to create rules to drop or allow public traffic to and from your Instance. Find out how to create and configure security groups.
Access Control Lists (ACLs) allow you to control traffic arriving at your Load Balancer's frontend, and set conditions to allow traffic to pass to the backend, deny traffic from passing to the backend, or redirect traffic. Conditions can be set based on the traffic's source IP address and/or HTTP path and header, or you can choose to carry out unconditional actions. ACLs allow you to build extra security into your Load Balancer, as well as letting you redirect traffic, for example from HTTP to HTTPS.
Learn how to use the ACL feature in our dedicated how-to and go deeper with our reference documentation.
For resources such as Instances and Elastic Metal servers, you may wish to implement third-party manual solutions in front of your public services to enhance security, for example:
Exposing your resource to the public internet can present risks of unexpected traffic surges. These may be malicious DDoS attacks, or legitimate surges that are simply the result of high demand. If correct mechanisms are not put in place to deal with high load, you risk facing downtime, service unavailability and performance degradation. A number of possibilities exist to help you handle this scenario:
Scaleway currently offers Autoscaling in Public Beta. Autoscaling allows you to dynamically adjust the number of Instances within a given Instance group based on defined scaling policies. Scaling actions (scale up or down) are triggered when the monitored metric exceeds the configured thresholds from your policies. Check out the API documentation.
Placing a Scaleway Load Balancer in front of your backend servers allows you to expose multiple Instances through a single public IP. The Load Balancer distributes workload across the servers in the backend pool, ensurable scalable and continuously available applications, even during heavy traffic. You can manually add and remove servers from the backend pool as necessary, and configure the best balancing method for your particular needs. Find out more in the Load Balancer documentation.
Available for Load Balancers and Object Storage buckets, Scaleway Edge Services provides a caching service to reduce load on your origin. This means that content can be served directly to users from Edge Services’ servers, instead of from your Load Balancer or Object Storage bucket. Learn more about Edge Services.
Hosting your containerized application in a managed Kubernetes cluster brings many benefits in terms of scaling and managing fluctuating demand. Kubernetes can automatically adjust the number of running resources within defined limits, based on current demand. It also offers self-healing capabilities in the case of node failure. Find out more in the Scaleway Kubernetes documentation.
We recommend that you use Scaleway Cockpit to monitor your resources. Cockpit stores metrics, logs and traces and provides a dedicated dashboarding system on Grafana for easy visualisation. Different metrics are available for different resource types, with metrics for network traffic being available for many, enabling you to monitor connections over the public interface. You can also configure managed and pre-configured alerts for your resources, to receive warnings for potentially abnormal behavior or unusual network activity.
Read more about Scaleway Cockpit.