Site-to-Site VPN FAQ
Overview
What is Site-to-Site VPN?
Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa.
Specifications
How are Site-to-Site VPN tunnels encrypted?
Site-to-Site VPN connections are secured with Internet Protocol security (IPsec). When creating a VPN connection, you are prompted to define a security proposal (aka IPSec proposal) which defines the precise encryption and authentication methods to secure the tunnel. Read more about security proposals and encryption in our dedicated documentation.
Compatibility and integration
Can I use Site-to-Site VPN to connect two Scaleway VPCs?
No, you cannot use Site-to-Site VPN to connect two Scaleway VPCs. Watch out for our upcoming VPC peering solution for this functionality.
Can I use Site-to-Site VPN to connect my Scaleway VPN to another cloud provider?
Yes, this use case is entirely possible.
What is an ASN and why do I have to supply one when creating a customer gateway?
An Autonomous System Number (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet.
When creating a customer gateway, you are asked to provide its ASN. This is necessary for dynamic routing across the VPN using BGP. Each BGP peer must have a unique ASN to identify its routing domain.
The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range 64512 to 65534.
If I create a connection using gateways' public IPv4 addresses, does this mean the tunnel won't support IPv6 traffic?
No. Be assured that IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. The public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a routing policy for that traffic type.
The following diagram shows a connection with an IPv4 tunnel (i.e., established via the gateways' public IPv4 addresses), configured to route both types of IP traffic:
The following diagram shows a connection with an IPv6 tunnel (i.e. established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic:
Can I define static routes in my Site-to-Site VPN Gateway?
No, Scaleway Site-to-Site VPN only supports dynamic routing through BGP and routing policies. You cannot set static routes.
Pricing and billing
How much does Site-to-Site VPN cost?
Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated pricing page for full details.