NavigationContentFooter
Jump toSuggest an edit

Understanding VPC GA and Migration

Reviewed on 03 July 2024Published on 20 June 2023

Overview

As of July 12, 2023, VPC is now in general availability (GA). The arrival of VPC brought changes to the Scaleway Network products portfolio, which are summarized in the table below. Read on to find out more about the detail of these changes.

ProductPre-VPCDuring VPC Public BetaWith VPC General Availability
Private NetworksOne offer only: zoned Private Networks (scoped to a single AZ)Classic offer (zoned Private Networks) continued

Beta offer: possibility to create regional Private Networks in a VPC, with optional migration of existing zoned Private Networks via the API
Classic offer (zoned Private Networks) is discontinued.

All existing zoned Private Networks are automatically migrated to become regional Private Networks inside a VPC.

Private Networks now offer DHCP (see below for more details about DHCP migration).
VPC---VPC is introduced. One default VPC in each region is created automatically for all users.

Beta testers can create regional Private Networks in their VPCs
All users have one default VPC per region automatically created for them.

Users can opt to create additional VPCs.

All Private Networks now exist within a VPC.
Public GatewaysWhen attached to a Private Network, Public Gateways provide DHCP, NAT & SSH bastion for resources in the network.No changeDHCP functionality leaves Public Gateways and is now built directly into Private Networks.

Public Gateways continue to offer NAT and SSH bastion.

Key concepts

If you are unsure about some of the terminology in this document, refer to the sources below for more explanation before continuing.

  • What is a VPC?
  • What is a Private Network?
  • What do the terms “region”/“regional” and “zoned”/“AZ” mean?
  • What is DHCP?
  • What is beta vs. general availability (GA)?

VPC GA: What does it mean for Private Networks?

As summarized in the table above, now that VPC is in general availability, you can no longer create new zoned Private Networks. All Private Networks created from now on are regional, exist inside a VPC, and have integrated DHCP.

There is also an impact on pre-existing Private Networks. There are three aspects to this impact:

  • Zoned > Regional: All pre-existing zoned Private Networks have been automatically migrated by Scaleway, and are now regional Private Networks inside a VPC.
  • DHCP activation: Prior to VPC GA, DHCP was not itself present on any pre-existing Private Networks. It was instead a feature of the Public Gateway which could optionally be attached to a Private Network and (if DHCP was activated), automatically assign private IP addresses to attached resources. When VPC went into GA, DHCP functionality was moved from Public Gateways to Private Networks themselves. Whether or not DHCP has been automatically activated on your pre-existing Private Network depends on the specificities of your configuration.
  • Managed DNS: All new Private Networks benefit from Managed DNS, to facilitate resource name resolution between different resources attached to the Private Network. Private Networks attached to a Public Gateway continue to use the Gateway’s DNS.

Read on for more information about these three aspects.

Aspect 1: Zoned to regional

All newly created Private Networks going forward will be regional in scope. All pre-existing zoned Private Networks have been automatically migrated by Scaleway, to become regional Private Networks inside a VPC.

  • This was planned as a seamless migration with no downtime.
  • Private Networks in PAR-1, PAR-2 or PAR-3 became scoped to the whole PAR region, Private Networks from AMS-1 or AMS-2 became scoped to the whole AMS region, and Private Networks from WAW-1 or WAW-2 became scoped to the whole WAW region.
  • You can now attach resources from any of the AZs within the region of a Private Network. This gives you a Private Network where, for example, an Elastic Metal server in PAR-2 can communicate with a Managed Database in PAR-1.
  • One default VPC for each Scaleway region has been created per Project, and your newly migrated Private Networks are accessible from within the default VPC for their region.

Aspect 2: DHCP on Private Networks

From now on, whenever you create a new Private Network, as well as being regional in its scope, it will also have DHCP built into it. This means:

  • When creating a Private Network:
    • A managed DHCP server is activated on the Private Network. This cannot be deactivated. The IPv4 address of Private Networks’ DHCP server is 169.254.169.254. The IPv6 address is fe80:200:22ff:fe05:ca1e.
    • You are given the choice to let us automatically generate IPv4 and IPv6 CIDR blocks (subnets) for you, or to define your own IPv4 CIDR block for the network.
  • When you attach a resource to the Private Network, it automatically gets a private IP address assigned to it from this subnet via DHCP. The IP is allocated when the resource is attached to a Private Network, and released only when the resource is detached or deleted. Resources are also reachable just by using their name. Essentially, you can let Scaleway manage your IPs, with no hassle for you.
  • These IP addresses are managed by Scaleway IPAM, which is the only source of truth and ensures full consistency.
  • IP addresses are allocated and assigned to your resources: they are fixed and (for now) cannot be defined by the user, beyond definition of the CIDR block at the time of network creation.
  • Scaleway’s public IPAM API is now publicly available for features such as listing resource IP addresses, and booking IP addresses. As we develop our IPAM tool and integrate it with the Scaleway console, more functionalities will become available such as allocating booked IPs to a resource when you attach it to a Private Network.
Note

What if I still want to create a new Private Network and manage the attached resources’ IPs by myself? You can use the Scaleway IPAM API to book IP addresses for resources. Watch this space for features to enable you to select booked IPs for resources when attaching them to a Private Network.

DHCP activation on pre-existing Private Networks

Whether or not the managed DHCP server has been automatically activated on your pre-existing Private Networks depends on your configuration:

Your configurationImpact
I have a Private Network, with no Public Gateway attached to itDHCP has not been automatically activated on your Private Network, to avoid any conflicts with your existing IP addressing.

You should see a button in the Scaleway console inviting you to activate DHCP if/when you are ready. Note that activating DHCP is permanent, and there is no way to undo the activation, so proceed with caution.
I have a Private Network, attached to a Public Gateway, but DHCP is disabled on the gateway.DHCP has not be automatically activated on your Private Network, to avoid any conflicts with your existing IP addressing.

You should see a button in the Scaleway console inviting you to activate DHCP if/when you are ready. Note that activating DHCP is permanent, and there is no way to undo the activation, so proceed with caution.
I have a Private Network, attached to a Public Gateway, and DHCP is enabled on the gateway.DHCP has been automatically activated on your Private Network, and cannot be deactivated. We take care of IP management of your resources within your Private Network (see details above).

All the Public Gateway’s leases are synchronized with the managed DHCP, so there is no impact for you and no action is necessary.
I have a Private Network with my own DHCP server running on itWe assume that your network is therefore not attached to a Public Gateway with DHCP enabled (which would cause conflicts with your own DHCP server). DHCP has not been automatically activated on your Private Network, to avoid any conflicts with your existing IP addressing.

You should see a button in the Scaleway console inviting you to activate DHCP if/when you are ready. Note that activating DHCP is permanent, and there is no way to undo the activation, so proceed with caution.
Tip

If you fall into one of the cases where DHCP is not automatically activated for you, as well as seeing an Activate DHCP button in the Scaleway console, you can also activate via the API if you prefer.

See the dedicated documentation on activating DHCP

Any static DHCP reservations (static leases) configured via a Public Gateway have been transparently migrated. Going forward, DHCP reservations via the Public Gateway API and other devtools are deprecated but still available, to avoid breaking changes. They are no longer available via the console. IP reservations are also available through the IPAM API.

Aspect 3: DNS on Private Networks

From the time of GA, all newly created Private Networks benefit from our managed DNS, to facilitate resource name resolution between different resources attached to the Private Network.

Managed DNS activation on pre-existing Private Networks

Whether or not managed DNS is activated on your pre-existing Private Network depends on whether it is attached to a Public Gateway:

  • Private Networks not attached to a Public Gateway: Managed DNS is automatically activated on these Private Networks.
  • Private Networks attached to a Public Gateway: Managed DNS is not automatically activated on these Private Networks. They will continue to use the DNS of the gateway, to enable resource name resolution between different attached Private Networks. This will also be the case whenever you attach new Private Networks to a Public Gateway in the future: the DNS of the gateway will always take priority.

Watch this space for future developments and features in this area.

Public Gateways and VPC

You may have observed the following behavior when during the period directly following GA:

  • For each Public Gateway (newly-created or pre-existing), a new VPC was automatically created to hold its subnets and route table.
  • When a Private Network is attached to a Public Gateway, it was moved to the gateway’s VPC.

Public Gateways created via the Scaleway console after October 17 2023 are IPAM-mode gateways, and the temporary behavior described above no longer applies. These gateways are fully compatible with Scaleway’s IPAM and no longer need to auto-create their own VPC for attached Private Networks to ensure IPAM compatibility.

Public Gateways created before October 17 2023 are legacy gateways, and their attached Private Networks must stay in the gateway’s auto-created VPC to ensure IPAM compatibility.

You can tell whether your Public Gateway is in legacy mode or IPAM mode, by referring to the “mode” badge in the listing of your Public Gateway in the Scaleway console.

Find out more about legacy gateways versus IPAM-mode gateways in our IPAM concept documentation.

Note

When creating a Kubernetes Kapsule cluster with full isolation you are required to attach a Public Gateway to the cluster’s Private Network, and this cannot be a legacy Public Gateway - it must be fully integrated with IPAM.

Impacts on the rest of the Scaleway ecosystem

The general availability of VPC brings the following changes to our devtools and console:

Scaleway console

  • The existing Private Networks section, available from the main menu (sidebar) of the console, will soon cease to be accessible. Instead, you should select VPC in the sidebar, and then click on the relevant VPC, to access and manage your Private Networks.
  • The DHCP dashboard for Public Gateways is no longer available, as this functionality has moved to Private Networks.

API

  • The VPC v1 zoned API (which actually only concerns Private Networks and not VPC as it is now understood) will keep working, but is deprecated and has been moved to read only. The VPC v2 API, covering both VPCs and Private Networks with regional scope and DHCP, is the new default API. Note that in the VPC API documentation, you can select v1 or v2 from the drop-down menu at the top to navigate between the two versions.
  • DHCP reservations via the Public Gateway API are deprecated but still available, to avoid breaking changes. IP reservations are also available through the IPAM API.

CLI

  • As the CLI does not support multiple versions of an API, new and future versions will drop the VPC v1 API in favor of v2.
  • DHCP reservations via the Public Gateway have been deprecated but are still available, to avoid breaking changes. IP reservations are also available through the IPAM API.

Terraform

  • The property that previously existed on Private Network resources, to specify whether they are regional or not and allow use of the correct underlying API (VPC v1 or v2), has been deprecated.
  • DHCP reservations via the Public Gateway are now deprecated but still available, to avoid breaking changes. IP reservations are also available through the IPAM API.

Why are we making these changes?

Security and networking are not easy. Mistakes can be made and details can be forgotten which can lead to conflicts in your configuration or serious security holes in your infrastructure.

We are aiming to make it as easy as possible for our customers to create a secure infrastructure, with resources reachable in a simple yet safe way, able to communicate with each other without having to be exposed on the public internet.

Each Scaleway Project gets a default VPC for each region. From there, it only takes a couple of clicks to create a Private Network with built-in DHCP in a VPC. No network configuration is required, all the defaults are set up and ready to go. We even take care of making sure that each Private Network gets a large enough subnet that it will not overlap with that of any other Private Networks inside the same VPC.

As you attach your resources to the Private Network, they automatically get a fixed private IP address inside that subnet. They are also reachable just by using their name as we provide “Private DNS” resolution inside a Private Network.

We believe that plug and play is the way, and are aiming to provide you with everything you need to get your infrastructure up and running, as securely as possible, with minimal hassle.

Read our blog post to find out more about our work on our VPC product.

Further resources

  • VPC Public Beta Documentation
  • VPC FAQ
  • VPC API Documentation
  • Scaleway Developers Tools
  • Tutorials
  • Join the #virtual-private-cloud channel on Slack
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway