Skip to content

fix(rdb): vpc routing #5073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
---
meta:
title: How to connect a PostgreSQL and MySQL Database Instance to a Private Network
description: Instructions for connecting your Database Instance over a Private Network.
content:
h1: How to connect a PostgreSQL and MySQL Database Instance to a Private Network
paragraph: Instructions for connecting your Database Instance over a Private Network.
title: How to connect a PostgreSQL and MySQL Database Instance to a Private Network
description: Instructions for connecting your Database Instance over a Private Network.
tags: managed-database postgresql mysql private-network database-instance
dates:
validation: 2025-01-04
Expand All @@ -25,18 +21,21 @@ This improves performance by reducing the latency between your application and y

You can create new Database Instances to attach to your Private Network, or attach existing ones.

<Requirements />
<Message type="note">
Managed Databases for PostgreSQL and MySQL is compatible with the [VPC routing](/vpc/concepts/#routing) feature, which allows you to connect one or more Database Instances in Private Network to resources in other Private Networks of the same VPC. Refer to the [How to manage routing](/vpc/how-to/manage-routing/) documentation page for more information.
</Message>

<Requirements />
- A Scaleway account logged into the [console](https://console.scaleway.com)
- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
- A valid [API key](/iam/how-to/create-api-keys/)
- A [PostgreSQL or MySQL Database Instance](/managed-databases-for-postgresql-and-mysql/quickstart/)

## How to attach a Database Instance to a Private Network

<Message type="note">
You can only attach your Database Instance to one Private Network at a time.
</Message>
<Message type="note">
You can only attach your Database Instance to one Private Network at a time.
</Message>

1. Click **PostgreSQL and MySQL** under **Databases** on the side menu. A list of your Database Instances displays.
2. Select the geographical region of the Instance you want to manage from the drop-down.
Expand Down Expand Up @@ -79,4 +78,4 @@ This action takes a few moments to complete. During this time, your Database Ins
- remains available,
- goes into **Configuring** mode, and
- network configuration actions become unavailable
</Message>
</Message>
11 changes: 2 additions & 9 deletions pages/vpc/faq.mdx
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
---
meta:
title: VPC
description: Discover Scaleway VPC and Private Networks.
content:
h1: VPC FAQ
title: VPC
description: Discover Scaleway VPC and Private Networks.
dates:
validation: 2025-05-05
category: network
Expand Down Expand Up @@ -38,10 +35,6 @@ Yes, [VPC routing](/vpc/concepts#routing) allows you to automize the routing of

This is not currently possible. You may consider using a VPN tunnel to achieve this, for example [IPsec](https://en.wikipedia.org/wiki/IPsec) or [WireGuard](https://en.wikipedia.org/wiki/WireGuard). Scaleway also offers an [OpenVPN InstantApp](/tutorials/openvpn-instant-app/), making it easy to install a VPN directly on an Instance.

### Why can I not route traffic to my Managed Database on another Private Network?

Managed Databases do not currently support VPC routing - see our [dedicated documentation](/vpc/reference-content/understanding-routing/#limitations)

### Can I control traffic flow between my VPC's Private Networks?

Yes, use the [Network ACL feature](/vpc/reference-content/understanding-nacls/) to filter packets flowing between the different Private Networks of your VPC. By default, all traffic is allowed to pass, until you start to add rules to the VPC's NACL.
Expand Down
36 changes: 16 additions & 20 deletions pages/vpc/how-to/manage-routing.mdx
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
---
meta:
title: How to manage routing
description: Learn how to manage routing in Scaleway Virtual Private Cloud (VPC). Configure custom routes to control traffic flow and optimize network performance.
content:
h1: How to manage routing
paragraph: Learn how to manage routing in Scaleway Virtual Private Cloud (VPC). Configure custom routes to control traffic flow and optimize network performance.
title: How to manage routing
description: Learn how to manage routing in Scaleway Virtual Private Cloud (VPC). Configure custom routes to control traffic flow and optimize network performance.
tags: private-network vpc routing route-table routes default-route local-route subnet
dates:
validation: 2025-06-11
Expand All @@ -24,7 +20,7 @@ Routing is used to manage and control the flow of traffic within a VPC. It tells
Read more about the VPC routing feature, including detailed explanations, usage considerations, limitations and best practices in our [dedicated reference content](/vpc/reference-content/understanding-routing/).

<Requirements />

- A Scaleway account logged into the [console](https://console.scaleway.com)

## How to activate routing
Expand All @@ -50,7 +46,7 @@ To activate routing on a pre-existing VPC, follow these steps:
If you created your VPC before July 1st 2025, you must manually update its routing behavior in order to get the following capabilities:

- Advertisement of custom routes across the entire VPC as standard.
- Option to enable each Private Network in the VPC to receive default route advertisements not only from their locally attached Public Gateways, but from other Public Gateways (or default custom routes) attached to different Private Networks throughout the whole VPC.
- Option to enable each Private Network in the VPC to receive default route advertisements not only from their locally attached Public Gateways, but from other Public Gateways (or default custom routes) attached to different Private Networks throughout the whole VPC.

For more information on these new routing behaviors, see our [detailed documentation](/vpc/reference-content/understanding-routing/#updating-routing-behavior).

Expand Down Expand Up @@ -84,10 +80,10 @@ Your VPC's **route table** can be found in its **Routing** tab. The route table

Routes are automatically generated and added to the route table when you:

- Create a Private Network in the VPC (this generates a **local subnet route**, which allows the VPC to automatically route traffic between Private Networks), or
- Create a Private Network in the VPC (this generates a **local subnet route**, which allows the VPC to automatically route traffic between Private Networks), or
- Attach a Public Gateway to a Private Network and set it to advertise a default route. This generates a **default route to the internet**.
- Create a custom route

When your route table starts to populate, it will look something like this:

<Lightbox image={image} alt="" />
Expand All @@ -99,12 +95,12 @@ Your VPC's **route table** can be found in its **Routing** tab. The route table
Two types of auto-generated routes exist for VPCs:

- **Local subnet route**: Generated when you create a Private Network in a VPC. Allows traffic to be routed between different Private Networks in the VPC.
- **Default route to internet**: Generated when you attach a Public Gateway to a Private Network in the VPC, and set it to advertise a [default route](/public-gateways/concepts/#default-route). Allows traffic to be routed to addresses outside the VPC (i.e. the public internet) via the gateway.
- **Default route to internet**: Generated when you attach a Public Gateway to a Private Network in the VPC, and set it to advertise a [default route](/public-gateways/concepts/#default-route). Allows traffic to be routed to addresses outside the VPC (i.e. the public internet) via the gateway.

<Message type="note">
By default, Public Gateways remain scoped to the Private Network(s) to which they are attached. They do not, as standard, advertise the default route on other Private Networks in the VPC.
By default, Public Gateways remain scoped to the Private Network(s) to which they are attached. They do not, as standard, advertise the default route on other Private Networks in the VPC.

However, each Private Network can opt in to receive default route advertisements from across the entire VPC, rather than only from locally attached gateways. This allows them to find a route to the internet even if there is no Public Gateway or default custom route on their own Private Network. See our [dedicated documentation](/vpc/reference-content/understanding-routing/#default-routes) for full details.
However, each Private Network can opt in to receive default route advertisements from across the entire VPC, rather than only from locally attached gateways. This allows them to find a route to the internet even if there is no Public Gateway or default custom route on their own Private Network. See our [dedicated documentation](/vpc/reference-content/understanding-routing/#default-routes) for full details.
</Message>

You cannot delete managed routes, as their lifecycle is fully managed by Scaleway. The route will be automatically deleted for you when you delete the Private Network or Public Gateway that it concerns.
Expand Down Expand Up @@ -142,10 +138,10 @@ Each Private Network must individually opt in to receive all these default route

3. Click the **Manage default routes** button.

A screen displays, showing a list of all the Private Networks in your VPC.
A screen displays, showing a list of all the Private Networks in your VPC.

The **Local default route** column shows whether or not a default route is already advertised locally in the Private Network via an attached Public Gateway or custom route.

4. Click the checkbox next to each Private Network that you want to receive all default routes from throughout the VPC.

5. Click **Apply scope** when finished.
Expand All @@ -155,7 +151,7 @@ Each Private Network must individually opt in to receive all these default route
</TabsTab>
</Tabs>

### How to view VPC routes in IPv6
### How to view VPC routes in IPv6

Scaleway VPC routing supports both IPv4 and IPv6 protocols. Managed routes to Private Networks are simultaneously generated for both IPV4 and IPV6, and both are added to the route table. Use the toggle above the route table to switch from the default view of **IPV4** routes to a view of **IPV6** routes.

Expand Down Expand Up @@ -199,7 +195,7 @@ Follow the steps below to define a custom route:

8. Enter a **next hop** for the route. The VPC will route traffic for the destination IP to the resource designated as next hop.
- Select the Private Network which the next hop resource is attached to.
- Select a resource type: **Instance**, **Public Gateway** or **Elastic Metal**. Routing is not yet compatible with Managed Databases, nor with other types of Scaleway resources which are not integrated with VPC.
- Select a resource type: **Instance**, **Public Gateway** or **Elastic Metal**.
- Select the **name** of the specific resource you want to route traffic to. The resource must be attached to a Private Network in this VPC.

<Message type="note">
Expand All @@ -212,15 +208,15 @@ Follow the steps below to define a custom route:

### How to fix a broken custom route

If you delete a resource used as a next hop in a custom route, or detach it from the Private Network, the custom route will cease to function. A **Not found!** warning will display in the **Next hop** column for this route in the route table.
If you delete a resource used as a next hop in a custom route, or detach it from the Private Network, the custom route will cease to function. A **Not found!** warning will display in the **Next hop** column for this route in the route table.

<Lightbox image={image3} alt="A VPC route table displays in the Scaleway console, with a red 'Not found!' text in the next hop column of a custom route" />

To resolve this, you must either:

- [Reattach the next hop resource to the Private Network](/vpc/how-to/attach-resources-to-pn/#how-to-attach-a-resource-to-a-private-network) **and** then [edit the route](#how-to-edit-a-custom-route) to reselect the next hop resource, or
- [Edit the route](#how-to-edit-a-custom-route) to select a new next hop, or
- [Delete the route](#how-to-delete-a-custom-route)
- [Delete the route](#how-to-delete-a-custom-route)

## How to edit a custom route

Expand Down
22 changes: 9 additions & 13 deletions pages/vpc/reference-content/understanding-nacls.mdx
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
---
meta:
title: Understanding Network ACLs
description: Learn how to Network Access Control Lists (NACL) to filter inbound and outbound traffic between the different Private Networks of your VPC. Understand concepts, best practices, and key use cases.
content:
h1: Understanding Network ACLs
paragraph: Learn how to Network Access Control Lists (NACL) to filter inbound and outbound traffic between the different Private Networks of your VPC. Understand concepts, best practices, and key use cases.
title: Understanding Network ACLs
description: Learn how to Network Access Control Lists (NACL) to filter inbound and outbound traffic between the different Private Networks of your VPC. Understand concepts, best practices, and key use cases.
tags: vpc nacl network-access-control-list default-rule stateless inbound outbound port
dates:
validation: 2025-06-09
Expand Down Expand Up @@ -54,18 +50,18 @@ When defining a NACL rule, you must enter the following settings:
- **Protocol**: Either `TCP`, `UDP`, or `ICMP`. The rule will apply only to traffic matching this protocol. Alternatively, you can choose to apply it to traffic matching any protocol.

- **Source** and **destination**: The rule will apply to traffic originating from this source and being sent to this destination. For both, enter an IP range in [CIDR format](/vpc/concepts/#cidr-block), and a port or port range. Alternatively, you can opt for the rule to apply to all IPs and/or all ports.

- **Action**: The NACL will either **Allow** (accept) or **Deny** (drop) traffic that matches the rule.

## Rule priority and application

The Network Access Control List should be read from top to bottom. Rules closer to the top of the list are applied first. If traffic matches a rule for an **Allow** or **Deny** action, the action is applied immediately. That traffic is not then subject to any further filtering or any further actions by any rules that follow.
The Network Access Control List should be read from top to bottom. Rules closer to the top of the list are applied first. If traffic matches a rule for an **Allow** or **Deny** action, the action is applied immediately. That traffic is not then subject to any further filtering or any further actions by any rules that follow.

## Statelessness

**NACL rules are stateless**. This means the state of connections is not tracked, and inbound and outbound traffic is filtered separately. Return traffic is not automatically allowed just because the outbound request was allowed. Explicit rules are required for each direction of traffic.

Therefore, if you create a rule to allow traffic in one direction, you may also need a separate rule to allow the response in the opposite direction.
Therefore, if you create a rule to allow traffic in one direction, you may also need a separate rule to allow the response in the opposite direction.

## Default rule

Expand All @@ -81,7 +77,7 @@ The table below shows an example of a NACL for IPv4 traffic:

<Lightbox image={image3} alt="A table shows a number of NACL rules" />

- A number of TCP rules allow connections to the specific ports necessary for SSH, HTTP, and HTTPS traffic. These rules allow all IPv4 sources within the VPC to connect to these ports, for all IPv4 destinations.
- A number of TCP rules allow connections to the specific ports necessary for SSH, HTTP, and HTTPS traffic. These rules allow all IPv4 sources within the VPC to connect to these ports, for all IPv4 destinations.

- An ICMP rule allows all ICMP traffic from/to all IPv4 addresses on all ports, effectively permitting all ping requests within the VPC to function.

Expand All @@ -99,9 +95,9 @@ Network ACLs cannot be used to block or filter the traffic to or from the follow
- Scaleway DHCP
- Scaleway Instance metadata
- Kubernetes Kapsule task metadata endpoints
- License activation for Windows installation on Elastic Metal or Instances
- License activation for Windows installation on Elastic Metal or Instances

NACLs have the same resource limitations as [VPC routing](/vpc/reference-content/understanding-routing/#limitations), they cannot currently be used to filter Managed Database traffic, though this functionality is planned for the future.
NACLs have the same resource limitations as [VPC routing](/vpc/reference-content/understanding-routing/#limitations).

NACLs are currently available only via the Scaleway API and developer tools. They are not yet available in the Scaleway console.

Expand All @@ -110,4 +106,4 @@ NACLs are currently available only via the Scaleway API and developer tools. The
NACL quotas are as follows:

- A maximum of 255 rules for IPv4 (per VPC)
- A maximum of 255 rules for IPv6 (per VPC)
- A maximum of 255 rules for IPv6 (per VPC)
Loading