NavigationContentFooter
Jump toSuggest an edit

VPC use case 1 - Basic infrastructure to leverage VPC isolation

Reviewed on 16 January 2025Published on 16 January 2025

Scaleway Virtual Private Network (VPC) and the accompanying range of network products, are important building blocks within the Scaleway ecosystem. By creating your Scaleway resources within a carefully thought out VPC-based infrastructure, you can maximize security, resilience and efficiency.

Knowing how to create, combine and configure resources such as Private Networks with definable subnets, VPC routing with custom routes, IPAM to define and manage your IP addresses, and resources such as Load Balancers and Public Gateways to facilitate connectivity and traffic distribution, is invaluable in achieving control over your networking environment.

This is the first in a series of use cases designed to show you potentially interesting and useful infrastructures, illustrating how to use VPC and other network products to achieve a robust, secure and scalable cloud environment.

Terraform templates accompany each use case.

Overview

The architecture diagram below shows the infrastructure for this use-case.

This is a basic infrastructure to leverage VPC isolation:

  • Instances are hosting the application without having their own public/flexible IP addresses.
  • Managed Database is accessed by the Instances over the Private Network only, with no exposure to the public internet.
  • Load Balancer distributes user traffic to the Instances over the Private Network.
  • Administrators can access the Instances via the Public Gateway.
  • External services are accessed by the Instances via the Public Gateway.

Full Terraform templates are available for this infrastructure.

Detail

User requests go via a domain name, whose DNS record points to the public flexible IP of a Scaleway Load Balancer. This Load Balancer is attached to a Private Network in a VPC. It distributes user traffic to multiple Instances which are also attached to the Private Network, and do not have their own public/flexible IP addresses. These Instances are accessible only from within the VPC. The Instances can store data to and retrieve data from Block Storage and a Managed Database attached to the same Private Network and not exposed to the internet.

The Public Gateway attached to the Private Network has its own public flexible IP address, and administrators can use solutions such as SSH bastion to connect to Instances via the Public Gateway for maintenance and administrative tasks. The Public Gateway also provides secure access to the public internet should the Instances need to download package updates, for example. Finally, the Public Gateway also allows the Instances to access services outside the VPC, e.g. those hosted on other Scaleway resources which are not compatible with VPC, via their public endpoints.

Advantages

Isolation and security

Resources are isolated within a VPC, and public IP exposure is restricted to Load Balancer and Public Gateway. This enhances security, ensuring that only authorized services and users can access the VPC’s resources, and reducing exposure to external threats. Any sensitive data stored on the Instances and Managed Databases is kept within the VPC, and not exposed to the public internet.

Scalability and reliability

Use of the Load Balancer to distribute traffic across multiple Instances enhances reliability. If the Load Balancer’s built-in health checks register that one Instance is down, it is able to immediately redirect traffic to the remaining healthy Instances only, ensuring high availability. Additional Instances can be spun up and added to the Load Balancer’s backend at any time, facilitating on-demand scalability.

External services like Transactional Email, Serverless, and NATS, Queues, Topics, and Events are also highly scalable, flexibly facilitating event-driven architectures and asynchronous processing.

Controlled access

The Public Gateway, with its public IP address, allows controlled access between the public internet and the VPC. Features such as SSH bastion allow selected administrators with the correct credentials to connect to resources within the VPC, and static NAT and/or advertisement of a default route provides the ability to direct traffic through the gateway to and from the resources within.

Cost control

Creating Scaleway resources without their own public IP addresses saves money, as these addresses are billed resources, while the creation, configuration and assignment of IP addresses from a Private Network is free of charge.

Applications

This kind of infrastructure is appropriate for many applications, including but not limited to:

  • E-commerce platforms: A scalable backend (Instances, Block Storage), which can securely connect to payment systems and privately-accessed user data (Managed Database), with public-facing components (Load Balancer) for appropriately handling user traffic.
  • Web applications: Web applications that routinely need to handle high traffic are ideally suited to the solution of a Load Balancer in front of a horizontally scalable set of Instances, to facilitate uptime and high availability and grow with demand.
  • Enterprise applications: Enterprises handling sensitive data (e.g. HR systems) can benefit from the isolation and security of a VPC, with all of its additional features, to keep internal services running without unnecessary exposure to the internet.

Tutorial

Follow the steps below to create this infrastructure using the Scaleway console:

  1. Create a VPC (or use the default VPC pre-created for each Scaleway Project in the appropriate region).
  2. Create a Private Network inside the VPC. You can either let Scaleway create the network with an auto-generated subnet, which will provide the private IP addresses for attached resources, or specify a self-defined subnet.
  3. Create a Public Gateway (set it to advertise the default route) and attach it to the Private Network.
  4. Set up SSH bastion on the Public Gateway, to allow administrator access.
  5. Create a Managed Database.
  6. Detach the Managed Database’s public endpoint and attach it to the Private Network you created in step 2.
  7. Create and configure external services as required, e.g. Object Storage, Transactional Email and Secret Manager.
  8. Create your Instances, using the configuration best-suited to your application. Do not assign public IPv4 or IPv6 addresses to the Instances. Add Block Storage volumes as required (or you can create and attach these later.)
    Tip

    If you are creating several Instances with the exact same configuration running the exact same template, consider creating just one Instance, configuring and installing it to communicate with the other resources inside and outside the VPC as required, then creating an image of this Instance and creating the remaining Instances using this image.

  9. Attach each Instance to the Private Network you created at step 2. Either let Scaleway automatically choose an IP from the Private Network’s subnet for each Instance, or use reserved IPs to specify the IP for each Instance on the network.
  10. Create a Load Balancer, ensuring you assign a public (flexible) IP address. Do not yet create the frontends and backends.
  11. Attach the Load Balancer to the Private Network. As before, you can use an auto-selected IP, or a specific reserved IP from the subnet.
  12. Create a frontend and backend for the Load Balancer. Choose the most appropriate configuration for your purpose and application, following advice and tips in the linked documentation. When configuring the Load Balancer’s backend servers, enter the private IP addresses of the Instances on the Private Network.
  13. Create your domain and add a DNS record (e.g. an A record) to point it to the public IP of your Load Balancer. While instructions show how to do this with Scaleway’s Domains and DNS product, you can also use an external domain and configure it with another provider.

Terraform

Terraform templates for this architecture are provided in full on our Scaleway Terraform Examples repo. Terraform allows you to create Infrastructure as Code (IaC) to build, configure and manage your infrastructure with configuration files, rather than with the Scaleway console.

The templates include an example “Task Tracker” application to show how the infrastructure is used. The application is containerized using Docker, deployed on an Instance in the Private Network and leverages PostgreSQL for data storage. Full instructions are provided for creating the infrastructure with Terraform and deploying the test application.

The following snippet shows an extract of one of the templates:

resource "scaleway_vpc" "vpc01" {
  name = "vpc_${var.app_name}"
}
resource "scaleway_vpc_private_network" "pn01" {
  name   = "pn_${var.app_name}"
  vpc_id = scaleway_vpc.vpc01.id
  ipv4_subnet {
    subnet = local.subnet
  }
}
resource "scaleway_vpc_public_gateway_ip" "gwip01" {
}
resource "scaleway_vpc_public_gateway" "pgw01" {
  type            = "VPC-GW-S"
  name            = "pgw_${var.app_name}"
  ip_id           = scaleway_vpc_public_gateway_ip.gwip01.id
  bastion_enabled = true
  bastion_port    = 61000
}

See the full Terraform templates

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway