diff --git a/pages/public-gateways/concepts.mdx b/pages/public-gateways/concepts.mdx
index cb7b669802..0d1d3d9c17 100644
--- a/pages/public-gateways/concepts.mdx
+++ b/pages/public-gateways/concepts.mdx
@@ -7,7 +7,7 @@ content:
paragraph: This page explains all the concepts related to Public Gateways
tags: network availability-zone dns flexible-ip nat private-ip ssh-bastion egress ipam legacy ipam_config
dates:
- validation: 2024-11-05
+ validation: 2025-05-05
categories:
- network
---
@@ -22,12 +22,14 @@ Allowed IPs is a feature of [SSH bastion](#ssh-bastion). It allows you to specif
## Default route
-The Public Gateway can advertise a default route to resources on an attached Private Network, which takes effect when the IP destination address for a packet is not known on the network itself. In effect, resources in a Private Network will know to route packets through the Public Gateway if the destination IP address is not a host on the Private Network itself.
+When you attach a Public Gateway to a Private Network, you can choose to have it advertise a default route to other attached resources. This means that when the IP destination address for a packet is not known on the Private Network or elsewhere within the VPC, the packet is routed through the Public Gateway, enabling it to find the public internet. The default route is propagated through DHCP.
-You can choose to activate the advertisement of the default route when attaching a Private Network to a Public Gateway. The default route is propagated through DHCP.
+By default, the scope of a default route is limited to the Private Network the Public Gateway is directly attached to. However, you also have the option to enable each of your Private Networks to receive advertisements of **all** default routes throughout the entire VPC. This includes routes towards all Public Gateways advertising a default route, as well as any custom-created default routes.
+
+If you opt to enable the reception of all default routes for a Private Network, resources on that network will be able to access the public internet via any Public Gateway in the VPC advertising a default route, even if it's not directly attached to their Private Network.
-After activating the default route, all outbound and inbound traffic for resources attached to the Private Network is directed through the Public Gateway. This includes SSH traffic destined for Instances, which means you will need to [manage SSH connections differently](/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway/).
+The Public Gateway's default route advertisement takes priority over the default route through a resource's public interface. Outbound and inbound public traffic for resources receiving the route advertisement is therefore directed through the Public Gateway. This includes SSH traffic destined for Instances, which means you will need to [manage SSH connections differently](/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway/).
## DHCP
diff --git a/pages/public-gateways/faq.mdx b/pages/public-gateways/faq.mdx
index 2842190fce..2b2040a606 100644
--- a/pages/public-gateways/faq.mdx
+++ b/pages/public-gateways/faq.mdx
@@ -5,7 +5,7 @@ meta:
content:
h1: Public Gateways FAQ
dates:
- validation: 2025-04-07
+ validation: 2025-05-05
category: network
productIcon: PublicGatewayProductIcon
---
@@ -22,8 +22,8 @@ No. A public IPv4 address (aka. flexible IP) must be assigned to the Public Gate
## Can my Instances and other resources access the internet via a Public Gateway without a public IP address?
-Yes. The Public Gateway can advertize itself as the [default route to the internet](/public-gateways/concepts/#default-route) over the Private Network it is attached to, so that Instances and other resources on the same Private Network, can access the internet via the gateway.
-Moreover, the Public Gateway supports [static NAT](/public-gateways/how-to/configure-a-public-gateway/#how-to-review-and-configure-nat) (aka. port forwarding), so that ingress traffic from the public internet can reach Instances on the Private Network. This works by mapping pre-defined ports of the public IP address of the gateway to specific ports and IP addresses on the Private Network.
+Yes. The Public Gateway can advertise itself as the [default route to the internet](/public-gateways/concepts/#default-route) over the Private Network it is attached to, so that Instances and other resources can access the internet via the gateway. Resources attached to other Private Networks than the gateway's network in the VPC can [opt in](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope) to receive its default route advertisement.
+Moreover, the Public Gateway supports [static NAT](/public-gateways/how-to/configure-a-public-gateway/#how-to-review-and-configure-nat) (aka. port forwarding), so that ingress traffic from the public internet can reach Instances on the Private Network. This works by mapping pre-defined ports of the public IP address of the gateway to specific ports and IP addresses on the VPC.
## What happened to static leases (DHCP reservations) when DHCP moved from the Public Gateway to Private Networks?
diff --git a/pages/public-gateways/how-to/configure-a-public-gateway.mdx b/pages/public-gateways/how-to/configure-a-public-gateway.mdx
index 9d4e67e2d6..dc49465161 100644
--- a/pages/public-gateways/how-to/configure-a-public-gateway.mdx
+++ b/pages/public-gateways/how-to/configure-a-public-gateway.mdx
@@ -7,7 +7,7 @@ content:
paragraph: Learn how to configure a Public Gateway with the Scaleway console. Follow our step-by-step guide to set up routing, internet access, and SSH bastion for secure, scalable network connectivity.
tags: public-gateway public gateway dhcp nat smtp
dates:
- validation: 2025-01-03
+ validation: 2025-05-05
posted: 2021-05-26
categories:
- network
@@ -38,7 +38,7 @@ This page shows you how to attach a [Public Gateway](/public-gateways/concepts/#
- If you want to create and attach a new Private Network, select **Attach to a new Private Network**. The Private Network will be created with default configuration (a [CIDR block](/vpc/concepts#cidr-block) will be automatically defined), in your default VPC for the region. A name for the Private Network will be suggested for you, but feel free to overwrite this with a new name of your choice. Dynamic NAT will be automatically activated on the Public Gateway for the Private Network.
6. Choose whether to **auto-allocate an available IP from the pool** (the [CIDR block](/vpc/concepts/#cidr-block) defined at the time of creating the Private Network), or use a **[reserved IP address](/ipam/concepts/#reserved-ip-address)** for the attachment.
-7. Use the toggle to select whether to **Advertise the default route**. Find out more about this setting in our [concepts documentation](/public-gateways/concepts/#default-route).
+7. Use the toggle to select whether to tell the gateway whether or not it should [advertise the default route](/public-gateways/concepts/#default-route) to the internet for attached resources. When activated, other resources on this Private Network will learn the default route through the Public Gateway via DHCP. The route will also be installed in the VPC’s route table, and other Private Networks can [opt in](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope) to receive it.
8. Click **Attach to Private Network** to finish. You are taken back to the Private Networks tab, where the network you attached now appears, along with the services configured and the IP address of the Public Gateway.
Your Private Network is now attached to your Public Gateway. You can repeat the steps above to attach more Private Networks to the same Public Gateway if you wish.
@@ -71,4 +71,16 @@ By default, the SMTP ports (25, 465, 587 and 2525) on your Public Gateway are bl
See our [troubleshooting](/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway/) documentation if you have any problems configuring your Public Gateway.
+
+
+## How to enable or disable default route advertisement
+
+You can enable or disable [default route advertisement](/public-gateways/concepts/#default-route) at any time.
+
+1. Click **Public Gateways** in the **Network** section of the side menu.
+2. Click the Public Gateway whose default route advertisement you wish to modify, then click the **Network** tab.
+3. Use the toggle to enable or disable default route advertisement on this network.
+
+
+If you disable advertisement of a default route, any other Private Networks that were [receiving this default route](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope) will no longer be able to route traffic to this Public Gateway.
\ No newline at end of file
diff --git a/pages/public-gateways/how-to/use-ssh-bastion.mdx b/pages/public-gateways/how-to/use-ssh-bastion.mdx
index 3ddb1ba013..fe491b75a6 100644
--- a/pages/public-gateways/how-to/use-ssh-bastion.mdx
+++ b/pages/public-gateways/how-to/use-ssh-bastion.mdx
@@ -7,7 +7,7 @@ content:
paragraph: This page explains how to use SSH bastion
tags: ssh-bastion ssh bastion activation reimport public-gateway
dates:
- validation: 2024-12-10
+ validation: 2025-05-05
posted: 2022-03-31
categories:
- network
@@ -17,6 +17,10 @@ SSH bastion is a server dedicated to managing connections to the infrastructure
The [Allowed IPs](#how-to-configure-allowed-ips) feature lets you control which public IPs can access resources behind the bastion.
+
+You can also use SSH bastion to connect to resources [receiving the Public Gateway's default route advertisement](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope), even if they are not attached to the same Private Network as the gateway.
+
+
- A Scaleway account logged into the [console](https://console.scaleway.com)
diff --git a/pages/public-gateways/quickstart.mdx b/pages/public-gateways/quickstart.mdx
index 9a1fa6ed34..6283da19da 100644
--- a/pages/public-gateways/quickstart.mdx
+++ b/pages/public-gateways/quickstart.mdx
@@ -7,7 +7,7 @@ content:
paragraph: Learn how to quickly set up and configure a Public Gateway on Scaleway. Follow this step-by-step guide to manage internet access and secure your network with ease.
tags: private-network private network public-gateway public-gateway egress
dates:
- validation: 2024-12-10
+ validation: 2025-05-05
posted: 2021-05-26
categories:
- network
@@ -46,7 +46,7 @@ categories:
Only Private Networks which are in the same region as the Public Gateway are displayed in this list.
6. Choose whether to **auto-allocate an available IP from the pool** (the [CIDR block](/vpc/concepts/#cidr-block) defined at the time of creating the Private Network), or use a **[reserved IP address](/ipam/concepts/#reserved-ip-address)** for the attachment.
-7. Use the toggle to tell the gateway whether or not it should [advertise the default route](/public-gateways/concepts/#default-route) to the internet for attached resources.
+7. Use the toggle to tell the gateway whether or not it should [advertise the default route](/public-gateways/concepts/#default-route) to the internet for attached resources. When activated, other resources on this Private Network will learn the default route through the Public Gateway via DHCP. The route will also be installed in the VPC’s route table, and other Private Networks can [opt in](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope) to receive it.
8. Click **Attach to Private Network** to finish. You are taken back to the Private Networks tab, where the network you attached now appears, along with the services configured and the IP address of the Public Gateway.
Your Private Network is now attached to your Public Gateway. You can repeat the steps above to attach more Private Networks to the same Public Gateway if you wish.
diff --git a/pages/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway.mdx b/pages/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway.mdx
index c145efed2f..ae370bdbf2 100644
--- a/pages/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway.mdx
+++ b/pages/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway.mdx
@@ -7,22 +7,33 @@ content:
paragraph: This page explains how troubleshoot connection problems after attaching an Instance to a Private Network which has a Public Gateway
tags: troubleshoot error private-network private network vpc public-gateway
dates:
- validation: 2024-10-21
+ validation: 2025-05-05
posted: 2021-05-26
categories:
- network
---
-If you are having trouble [connecting to your Instance via SSH](/instances/how-to/connect-to-instance/), when the Instance is attached to a Private Network which also has an attached Public Gateway, read on for help and solutions.
+## Problem
-The action to take depends on whether:
+You are unable to successfully [connect to your Instance via SSH](/instances/how-to/connect-to-instance/), when the Instance is attached to a Private Network which is receiving a default route advertisement from a Public Gateway. You may be experiencing connection timeouts or other error messages.
-- The Private Network(s) attached to your Instance have [DHCP enabled](/vpc/how-to/activate-dhcp/), and
-- Your Public Gateway is set to [advertise a default route](/public-gateways/concepts/#default-route) (true by default).
+This troubleshooting guide applies to you if:
-If the above two conditions are not true, there may be other factors impacting your Instance, like one of your Instances running a DHCP server. Try disconnecting and reconnecting the Instance from the Private Network.
+- Your Instance is attached to a Private Network which has an attached Public Gateway, AND
+- The gateway is set to [advertise a default route](/public-gateways/concepts/#default-route) (true by default), AND
+- The Private Network(s) attached to your Instance have [DHCP enabled](/vpc/how-to/activate-dhcp/)
-If DHCP **is** activated and your Public Gateway **is** set to advertise a default route, not being able to connect to your Instance via SSH is **expected behavior**. All the traffic towards your Instance now goes through the Public Gateway.
+It may also apply if:
+
+- Your Instance is attached to a Private Network which is set to [receive all default route advertisements](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope) from the VPC, AND
+- There is a Public Gateway in the VPC which is advertising a default route, AND
+- The Private Network(s) attached to your Instance have DHCP enabled
+
+If neither of the above scenarios applies, there may be other factors impacting SSH connection to your Instance, like one of your Instances running a DHCP server. Try disconnecting and reconnecting the Instance from the Private Network.
+
+## Solution
+
+If one of the above scenario applies, not being able to connect to your Instance via SSH is **expected behavior**. The Public Gateway's default route advertisement takes priority over the default route through a resource's public interface. All the traffic towards your Instance now goes through the Public Gateway.
To access your Instance using SSH in this scenario, the recommended solution is to use [SSH bastion](/public-gateways/how-to/use-ssh-bastion/).
diff --git a/pages/vpc/concepts.mdx b/pages/vpc/concepts.mdx
index b0a593bf3f..80a5210ca2 100644
--- a/pages/vpc/concepts.mdx
+++ b/pages/vpc/concepts.mdx
@@ -9,7 +9,7 @@ tags: network vpc virtual-private-cloud regional private network routing
categories:
- network
dates:
- validation: 2024-12-03
+ validation: 2025-05-02
posted: 2023-02-06
---
@@ -105,11 +105,19 @@ Routes can be of the following types:
When deciding which route to apply, the route table reads the routes from most specific to least specific, in terms of destination IP range. The first matching route encountered is the one that determines the path for the traffic. Therefore, a route to destination `172.16.8.0/22` is applied before a default route to `0.0.0.0/0`.
+Each route in a route table has a **scope**: it may be advertised across the entire VPC, or on certain Private Networks only.
+
## Routing
-Routing allows Private Networks in the same VPC to communicate with each other, via managed and custom routes. Routing is activated by default whenever you create a new VPC, and can be activated on pre-existing VPCs by [following these steps](/vpc/how-to/manage-routing/#how-to-activate-routing).
+Routing allows resources on Private Networks witin the same VPC to communicate with each other, via managed and custom routes. Routing is activated by default whenever you create a new VPC, and can be activated on pre-existing VPCs by [following these steps](/vpc/how-to/manage-routing/#how-to-activate-routing).
+
+Each routed VPC has a [route table](#route-table) which is automatically populated with routes to each of its Private Networks. When you attach a Public Gateway to a Private Network, and tell it to advertise a default route to the internet, such routes are also added to the VPC's route table. You can also create your own [custom routes](/vpc/how-to/manage-routing/#how-to-create-a-custom-route), to route traffic towards defined destination IP ranges towards specific "next hop" resources.
-Each routed VPC has a [route table](#route-table) which is automatically populated with routes to each Private Network in the VPC, as well as to any attached Public Gateways. These routes allow the VPC to automatically route packets between its Private Networks, or from a given Private Network to its attached Public Gateway when the destination is outside the VPC. You can also create your own [custom routes](/vpc/how-to/manage-routing/#how-to-create-a-custom-route).
+
+If you have [updated](/vpc/how-to/manage-routing/#how-to-update-routing-behavior) routing behavior on your VPC, or created a VPC since TODODATE, routing takes on the following characteristics:
+- Custom routes are advertised across the entire VPC, instead of only on the Private Network of the resource designated as next hop.
+- You can optionally [enable each Private Network in the VPC to receive default route advertisements](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope) not only from their locally attached Public Gateways, but from other Public Gateways (or default custom routes) attached to different Private Networks throughout the whole VPC.
+
Read more about how routing works in [our detailed guide](/vpc/reference-content/understanding-routing/).
diff --git a/pages/vpc/how-to/manage-routing.mdx b/pages/vpc/how-to/manage-routing.mdx
index aea7157397..0415fbc8f5 100644
--- a/pages/vpc/how-to/manage-routing.mdx
+++ b/pages/vpc/how-to/manage-routing.mdx
@@ -7,13 +7,13 @@ content:
paragraph: Learn how to manage routing in Scaleway Virtual Private Cloud (VPC). Configure custom routes to control traffic flow and optimize network performance.
tags: private-network vpc routing route-table routes default-route local-route subnet
dates:
- validation: 2024-12-03
+ validation: 2025-05-02
posted: 2024-04-09
categories:
- network
---
-Routing is used to manage and control the flow of traffic within a VPC. It tells the VPC where to send traffic trying to get to a specific destination IP address. Notably, it allows traffic to be automatically routed between resources attached to different Private Networks within the VPC, using their [private IP addresses](/vpc/how-to/attach-resources-to-pn/#how-to-view-the-resources-ip-address). You can also create your own custom routes.
+Routing is used to manage and control the flow of traffic within a VPC. It tells the VPC where to send traffic trying to get to a specific destination IP address. Notably, it allows traffic to be automatically routed between resources attached to different Private Networks within the VPC, as well as along user-created custom routes.
Read more about the VPC routing feature, including detailed explanations, usage considerations, limitations and best practices in our [dedicated reference content](/vpc/reference-content/understanding-routing/).
@@ -39,18 +39,32 @@ To activate routing on a pre-existing VPC, follow these steps:
Routing is activated on the VPC.
-## How to generate a managed route
+## How to update routing behavior
-Two types of auto-generated routes exist:
+If you created your VPC before TODODATE, you must manually update its routing behavior in order to get the following capabilities:
-- **Local subnet route**: Generated when you create a Private Network in a VPC. Allows traffic to be routed between different Private Networks in the VPC.
-- **Default route to internet**: Generated when you attach a Public Gateway to a Private Network in the VPC, and set it to advertise a [default route](/public-gateways/concepts/#default-route). Allows traffic to be routed to addresses outside the VPC (i.e. the public internet) via the gateway.
+- Advertisement of custom routes across the entire VPC as standard.
+- Option to enable each Private Network in the VPC to receive default route advertisements not only from their locally attached Public Gateways, but from other Public Gateways (or default custom routes) attached to different Private Networks throughout the whole VPC.
-
-Public Gateways remain scoped to the Private Network(s) to which they are attached. They do not advertise the default route on other Private Networks in the VPC. For example, an Instance attached to Private Network A will not be able to access the internet via a Public Gateway in Private Network B.
-
+For more information on these new routing behaviors, see our [detailed documentation](/vpc/reference-content/understanding-routing/#updating-routing-behavior).
+
+Updating routing behavior is irreversible: once updated, you cannot revert. However, [Network ACLs](/vpc/reference-content/undestanding-nacls) are configurable via the API to let you finely control and restrict routes within your VPC as necessary.
+
+Follow the steps below to update the routing behavior for a given VPC:
+
+1. Click **VPC** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. The list of your VPCs displays.
+
+2. Click **Update** in the **Routing** column of the VPC you want to update.
+
+ A three-step wizard displays, reiterating and reminding you of the changes to routing behavior.
+
+3. On page 1 of the wizard, read the recap of the changes to routing behavior, and click **Next**.
-You cannot edit or delete managed routes, as their lifecycle is fully managed by Scaleway. The route will be automatically deleted for you when you delete the Private Network or Public Gateway that it concerns.
+4. On page 2 of the wizard, read the reminder of how these changes may impact your existing setup, and click **Next**.
+
+5. On page 3 of the wizard, read the explanation that updating will entail no downtime, though changes to routes may take up to 30 minutes to fully propagate. Then type **UPDATE** in the box and click **Confirm**.
+
+Your VPC's routing behavior is updated, and you are directed to its routing table. Custom routes will now be scoped to the entire VPC, and you can use the **Manage default routes** button if you want to select Private Networks to receive default routes from throughout the VPC.
## How to access and read the route table
@@ -74,7 +88,68 @@ Your VPC's **route table** can be found in its **Routing** tab. The route table
For help with understanding the route table and how to read it, [refer to our documentation about route tables](/vpc/reference-content/understanding-routing/#route-table).
-### How to view VPC routes in IPV6
+## How to generate a managed route
+
+Two types of auto-generated routes exist for VPCs:
+
+- **Local subnet route**: Generated when you create a Private Network in a VPC. Allows traffic to be routed between different Private Networks in the VPC.
+- **Default route to internet**: Generated when you attach a Public Gateway to a Private Network in the VPC, and set it to advertise a [default route](/public-gateways/concepts/#default-route). Allows traffic to be routed to addresses outside the VPC (i.e. the public internet) via the gateway.
+
+
+By default, Public Gateways remain scoped to the Private Network(s) to which they are attached. They do not, as standard, advertise the default route on other Private Networks in the VPC.
+
+However, each Private Network can opt in to receive default route advertisements from across the entire VPC, rather than only from locally attached gateways. This allows them to find a route to the internet even if there is no Public Gateway or default custom route on their own Private Network. See our [dedicated documentation](/vpc/reference-content/understanding-routing/#default-routes) for full details.
+
+
+You cannot delete managed routes, as their lifecycle is fully managed by Scaleway. The route will be automatically deleted for you when you delete the Private Network or Public Gateway that it concerns.
+
+## How to manage default route scope
+
+If your VPC is using [up-to-date routing behavior](#how-to-update-routing-behavior), you can enable each Private Network to receive default route advertisements not only from their locally attached Public Gateways, but also from throughout the VPC.
+
+This means that the Private Network will receive route advertisements from:
+- All locally attached Public Gateway advertising a default route
+- All Public Gateways attached to other Private Networks in the VPC advertising default routes
+- All custom routes with a destination of `0.0.0.0/0`.
+
+Each Private Network must individually opt in to receive all these default routes. This can be done when creating a Private Network, or later, from each Private Network's **Settings** tab, or from the VPC's **Routing** tab.
+
+
+
+
+ 1. Click **VPC** in the **Network** section of the Scaleway console side menu. A list of your VPCs displays.
+
+ 2. Click the VPC containing the Private Network whose settings you want to update. A list of Private Networks in this VPC displays.
+
+ 3. Click the Private Network whose settings you want to update, then click the **Settings** tab.
+
+ 4. In the **Receive all default routes** panel, slide the toggle to the **on** position.
+
+ This Private Network will now receive default route advertisements from throughout the VPC. It may take up to 30 minutes for routes to propagate to all resources. You can toggle this behavior off at any time.
+
+
+
+
+ 1. Click **VPC** in the **Network** section of the Scaleway console side menu. A list of your VPCs displays.
+
+ 2. Click the VPC whose default route management you want to update, then click the **Routing** tab.
+
+ 3. Click the **Manage default routes** button.
+
+ A screen displays, showing a list of all the Private Networks in your VPC.
+
+ The **Local default route** column shows whether or not a default route is already advertised locally in the Private Network via an attached Public Gateway or custom route.
+
+ 4. Click the checkbox next to each Private Network that you want to receive all default routes from throughout the VPC.
+
+ 5. Click **Apply scope** when finished.
+
+ The selected Private Networks will now receive default route advertisements from throughout the VPC. It may take up to 30 minutes for routes to propagate to all resources. You can change default route scope settings at any time.
+
+
+
+
+### How to view VPC routes in IPv6
Scaleway VPC routing supports both IPv4 and IPv6 protocols. Managed routes to Private Networks are simultaneously generated for both IPV4 and IPV6, and both are added to the route table. Use the toggle above the route table to switch from the default view of **IPV4** routes to a view of **IPV6** routes.
@@ -87,7 +162,9 @@ Each VPC has auto-generated, managed routes to local subnets and Public Gateways
For example, you may wish to route all traffic for a certain private IP range to an Instance hosting a manually configured VPN tunnel, allowing secure connection to a corresponding subnet at the other end of the tunnel.
- Custom routes are scoped to the Private Network(s) of the "next hop" resource. Their routes are not propagated to other Private Networks in the VPC. In the scenario mentioned above of routing traffic towards a VPN tunnel, the origin of the packet must be in the same Private Network as the resource hosting the VPN.
+ The scope of custom routes depends on whether your VPC is using up-to-date routing behavior:
+ - If you created your VPC after TODODATE, or have [manually updated its routing behavior](#how-to-update-routing-behavior), custom routes are advertised across the entire VPC.
+ - Otherwise, custom routes are scoped only to the Private Network(s) of the "next hop" resource and not advertised to other Private Networks in the VPC. In this case, for the scenario mentioned above of routing traffic towards a VPN tunnel, the origin of the packet must be in the same Private Network as the resource hosting the VPN.
Follow the steps below to define a custom route:
@@ -108,6 +185,12 @@ Follow the steps below to define a custom route:
7. Enter a **destination** for the route. The VPC will apply the route to all traffic with a matching destination IP. You must enter an IPv4 or IPv6 CIDR range with a subnet mask, e.g. `192.168.1.0/24`. For a single IP address, use the `/32` mask for IPv4.
+
+ If your VPC has [up-to-date routing behavior](#how-to-update-routing-behavior) and you enter a destination of `0.0.0.0/0`, this custom route is treated in the same way as a **default route** advertised by a Public Gateway.
+ - Its route will be advertised locally on the 'next hop' resource's Private Network.
+ - Other Private Networks who have opted in to receive default routes from throughout the VPC will also receive this route.
+
+
8. Enter a **next hop** for the route. The VPC will route traffic for the destination IP to the resource designated as next hop.
- Select the Private Network which the next hop resource is attached to.
- Select a resource type: **Instance**, **Public Gateway** or **Elastic Metal**. Routing is not yet compatible with Managed Databases, nor with other types of Scaleway resources which are not integrated with VPC.
diff --git a/pages/vpc/reference-content/assets/scaleway-vpc-new-routing-ex.webp b/pages/vpc/reference-content/assets/scaleway-vpc-new-routing-ex.webp
new file mode 100644
index 0000000000..fded22a2e8
Binary files /dev/null and b/pages/vpc/reference-content/assets/scaleway-vpc-new-routing-ex.webp differ
diff --git a/pages/vpc/reference-content/understanding-nacls.mdx b/pages/vpc/reference-content/understanding-nacls.mdx
index 443d666fd9..89eff2a178 100644
--- a/pages/vpc/reference-content/understanding-nacls.mdx
+++ b/pages/vpc/reference-content/understanding-nacls.mdx
@@ -7,7 +7,7 @@ content:
paragraph: Learn how to Network Access Control Lists (NACL) to filter inbound and outbound traffic between the different Private Networks of your VPC. Understand concepts, best practices, and key use cases.
tags: vpc nacl network-access-control-list default-rule stateless inbound outbound port
dates:
- validation: 2025-03-26
+ validation: 2025-05-05
posted: 2025-03-26
categories:
- network
diff --git a/pages/vpc/reference-content/understanding-routing.mdx b/pages/vpc/reference-content/understanding-routing.mdx
index 2f7a4bd8b1..9e33eb7293 100644
--- a/pages/vpc/reference-content/understanding-routing.mdx
+++ b/pages/vpc/reference-content/understanding-routing.mdx
@@ -7,7 +7,7 @@ content:
paragraph: Explore the fundamentals of VPC routing with Scaleway. Understand how to manage traffic flow and optimize network routes within your Virtual Private Cloud
tags: vpc routing route-table private-network managed-route automatic-route local-subnet-route default-route
dates:
- validation: 2024-12-03
+ validation: 2025-05-02
posted: 2024-05-28
categories:
- network
@@ -19,11 +19,11 @@ VPC routing allows resources and Private Networks in the same VPC to communicate
When you create a Private Network, a managed route is automatically created and added to the VPC’s route table. This route allows the VPC to automatically route packets to resources attached to that Private Network, even if they originate from a resource attached to a different Private Network on the VPC.
-Managed routes are also automatically added to the VPC’s routing table when you attach a Public Gateway to a Private Network, and tell it to advertise the default route. This type of managed route allows traffic on the given Private Network to be forwarded to addresses outside the VPC (i.e. the public internet) via the Public Gateway.
+Managed routes are also automatically added to the VPC’s routing table when you attach a Public Gateway to a Private Network, and tell it to advertise the default route. This type of managed route allows traffic to be forwarded to addresses outside the VPC (i.e. the public internet) via the Public Gateway.
You can create your own custom routes to send traffic for defined IP ranges towards a specified resource in the VPC, for example if you want to route to a VPN installed on an Instance.
-Routing is activated by default whenever you create a new VPC, and can be activated on pre-existing VPCs by [following these steps](/vpc/how-to/manage-routing/#how-to-activate-routing). More routing features are planned for the future, such as ACLs and firewalling.
+Routing is activated by default whenever you create a new VPC, and can be activated on pre-existing VPCs by [following these steps](/vpc/how-to/manage-routing/#how-to-activate-routing). Network ACLs, to finely control and filter VPC traffic, are available [via the API](/vpc/reference-content/understanding-nacls) (currently in Public Beta).
The diagram below shows an example of how routing works across two Private Networks on a VPC. The route table is held on the VPC's virtual router ([VRouter](/vpc/concepts/#vrouter)), and synched to each resource as it joins a Private Network.
- An Elastic Metal server on Private Network A can send a packet to the public internet via a Public Gateway also attached to Private Network A.
@@ -44,10 +44,7 @@ Every VPC has an associated **route table**, used to manage and control the rout
- For custom routes, the next hop is a defined resource on a defined Private Network.
- If the destination IP is not known on the VPC (represented by the `0.0.0.0/0` address), its next hop will be a Public Gateway so that it can reach the public internet (as long as a Public Gateway set to advertise the default route has been attached to the Private Network).
- A **description**. This helps to describe the type of route, e.g. `Local subnet route` for routes to Private Networks, or `Default route to internet` for routes to Public Gateways, or a user-defined description for custom routes.
-
-
-Public Gateways remain scoped to the Private Network(s) to which they are attached. They do not advertise the default route on other Private Networks in the VPC. For example, an Instance attached to Private Network A will not be able to access the internet via a Public Gateway in Private Network B.
-
+- A **scope**. This shows whether teh route is advertised across the entire VPC, or (in the case of default routes), only certain Private Networks.
When deciding which route to apply, the route table reads the routes from most specific to least specific, in terms of destination IP range. The first matching route encountered is the one that determines the path for the traffic. Therefore, a route to destination `172.16.8.0/22` is applied before a default route to `0.0.0.0/0`.
@@ -61,9 +58,8 @@ Bear in mind the following when activating VPC routing:
- Once activated on a given VPC, routing cannot be deactivated on that VPC.
- When routing is activated, all Private Networks on the VPC can communicate.
-- We do not currently offer an ACL/firewall feature to prevent communication between certain Private Networks/resources once routing is activated. However, users may choose to configure ACLs directly on certain resources (e.g. Instances, Elastic Metal servers) using tools such as `iptables` or `nftables`.
-- Public Gateways remain scoped to the Private Network to which they are attached. They do not advertise the default route on other Private Networks in the VPC. For example, an Instance attached to Private Network A will not be able to access the internet via a Public Gateway in Private Network B.
-- Custom routes are scoped to the Private Network(s) of the "next hop" resource. Their routes are not propagated to other Private Networks in the VPC. For example, in the scenario of using a custom route to route traffic towards a VPN tunnel, the origin of the packet must be in the same Private Network as the resource hosting the VPN.
+- Network ACLs, to finely control and filter traffic within a VPC, are in Public Beta and currently available via the [VPC API](/vpc/reference-content/understanding-nacls/) only. Alternatively, users may choose to configure NACLs directly on certain resources (e.g. Instances, Elastic Metal servers) using tools such as `iptables` or `nftables`.
+- The scope of route advertisements for custom routes and default routes to Public Gateways depends on when you created your VPC, and/or whether you have updated its routing behavior to the most recent version. [Read the full documentation below](#updating-routing-behavior) for details.
## Best practices
@@ -77,6 +73,89 @@ We recommend that you build your VPC infrastructure with **separation of concern
For example, you may use one Private Network for frontend resources and another for backend resources, limiting public access only via Load Balancers and/or Public Gateways.
+## Updating routing behavior
+
+From TODO DATE, new routing behavior is available for VPCs.
+
+- This routing behavior will be applied automatically to VPCs created after TODO DATE, or to pre-existing VPCs that only activate routing after this date.
+- Pre-existing VPCs already using routing must be [updated](/vpc/how-to/manage-routing/#how-to-update-routing-behavior) to accept this new behavior
+
+| | Old behavior | New behavior |
+|---|---|---|
+| Custom routes | Custom route advertisements are scoped only to the Private Network(s) to which the “next hop” resource is directly attached. | Custom route advertisements are scoped to the entire VPC as standard. |
+| Default routes | Public Gateways' default route advertisements are scoped only to the Private Network(s) to which the gateway is attached.
Private Networks cannot receive default route advertisements from Public Gateways they are not directly attached to. | Standard behavior remains unchanged, but now each Private Network can opt in to receive default route advertisements from across the entire VPC. |
+
+### Custom routes
+
+Previously, custom routes were scoped only to the Private Network(s) of the “next hop” resource. Their routes were not propagated to other Private Networks in the VPC. For example, in the scenario of using a custom route to route traffic towards a VPN tunnel, the origin of the packet had to be in the same Private Network as the resource hosting the VPN.
+
+With new routing behavior, custom routes are scoped to the entire VPC as standard. All Private Networks in the VPC receive route advertisements for all custom routes. This gives enhanced flexibility when using custom routes to route traffic towards VPN tunnels.
+
+You can configure [Network ACLs](/vpc/reference-content/understanding-acls) via the VPC API if you want to restrict traffic flow along custom routes.
+
+
+If you create a custom route with a destination of `0.0.0.0/0`, this custom route is treated in the same way as a **default route** advertised by a Public Gateway:
+- Its route will be advertised locally on the 'next hop' resource's Private Network.
+- Other Private Networks who have opted in to receive default routes from throughout the VPC will also receive this route.
+
+
+### Default routes
+
+Previously, Public Gateways could only advertise their default routes to the Private Networks to which they were directly attached. Resources on other Private Networks within the VPC could not access the public internet via these remote Public Gateways.
+
+With new routing behavior, this standard behavior remains unchanged. Default routes' scope is still, as standard, limited to their directly attached Private Networks.
+
+However, you now have an additional option to enable each Private Network to receive advertisements of **all** default routes throughout the entire VPC. This includes routes towards all Public Gateways advertising a default route, as well as any custom-created default routes. This allows resources on other Private Networks to find access to the public internet, even if they do not have their own attached gateway.
+
+See the [documentation](/vpc/how-to/manage-routing/#how-to-manage-default-route-scope) on how to manage default route scope for a given Private Network, once you have [updated](/vpc/how-to/manage-routing/#how-to-update-routing-behavior) to new routing behavior.
+
+#### Granularity
+
+The option to receive all default route advertisements must be enabled on a per-Private-Network basis.
+
+This means that each Private Network in a VPC can opt to either receive **only** default routes from directly attached Public Gateways (and local custom default routes, if they exist), or **all** default routes being advertised throughout the whole VPC.
+
+If you wish to exercise more granular control over default route advertisements, we recommend that you configure [Network ACLs](/vpc/reference-content/understanding-acls) via the VPC API.
+
+#### Multiple default routes
+
+When a resource on a Private Network receives multiple default route advertisements, the default route that is ultimately used will depend on the resource's OS and configuration. For a resource running Ubuntu, it is likely that the first default route advertisement received will be prioritized.
+
+### Impact on existing setup
+
+When you update to new routing behavior, the only automatic change is that your custom routes (if any) will now be advertised across the whole VPC.
+
+Your Private Networks will continue to receive only their local default route announcements, **unless** you enable `Receive all default route announcements` in each Private Network's settings. Therefore, there is no risk of the scope of default route announcements automatically changing without your specific intervention, even after updating to new routing behavior.
+
+Your existing setup may be impacted by the new behavior if you want your custom routes to be scoped only to the next-hop resource's Private Network. In this case we recommend that you use [Network ACL rules](/vpc/reference-content/understanding-acls) via the VPC API to limit access to the custom route.
+
+### Example use of NACLs to mitigate impact
+
+The example below shows how to achieve desired routing behavior for a custom route which is now advertised across the whole VPC.
+
+#### Scenario
+
+
+
+Your VPC has three Private Networks using the following CIDR blocks:
+ - `backend-net`: `10.0.0.0/24`
+ - `frontend-net` `10.0.1.0/24`
+ - `monitoring-net`: `10.0.2.0/24`
+
+There is a custom route configured in your VPC, that routes all source traffic destined for `192.168.100.0/24` to the Instance `vpn-gateway-host` as next hop. This Instance hosts a VPN gateway, and is attached only to Private Network `monitoring-net`, with the private IP address `10.0.2.42/32`.
+
+#### Problem
+
+You want to prevent resources attached to `backend-net` and `frontend-net` from sending traffic to this VPN gateway, under new routing behavior where custom routes are advertised throughout the VPC. You want only resources attached to `monitoring-net` to be able to send traffic to the VPN gateway.
+
+#### Solution 1: NACL allow
+
+You could create two NACL rules to **Deny** traffic first from `10.0.0.0/24` (`backend-net`) and then from `10.0.0.1/24` (`frontend-net`) towards destination `10.0.2.42/32` (`vpn-gateway-host`). When combined with a default NACL rule to **Allow** all other traffic, this would effectively block resources on `backend-net` and `frontend-net` from accessing `vpn-gateway-host`.
+
+#### Solution 2: NACL deny
+
+Alternatively, and aligned with best practice, when the default NACL rule **Denies** all traffic not matched to a specific rule, `backend-net` and `frontend-net` will already be blocked from sending traffic to `vpn-gateway-host` on `monitoring-net`. Since NACLs do not filter traffic between resources attached to the same Private Network, other resources on `monitoring-net` would still be able to successfully route traffic to `vpn-gateway-host`.
+
## Limitations
- Managed Databases are not currently compatible with routing. The VPC cannot automatically route between Managed Databases on different Private Networks, or (for example) between a Managed Database on one Private Network and an Instance on a different Private Network.