diff --git a/pages/site-to-site-vpn/assets/scaleway-s2svpn-conceptual.webp b/pages/site-to-site-vpn/assets/scaleway-s2svpn-conceptual.webp
new file mode 100644
index 0000000000..faf2f312a8
Binary files /dev/null and b/pages/site-to-site-vpn/assets/scaleway-s2svpn-conceptual.webp differ
diff --git a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp b/pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-both.webp
similarity index 100%
rename from pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp
rename to pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-both.webp
diff --git a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp b/pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-one-type.webp
similarity index 100%
rename from pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp
rename to pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-one-type.webp
diff --git a/pages/site-to-site-vpn/concepts.mdx b/pages/site-to-site-vpn/concepts.mdx
index d841203af7..af56f3e8d5 100644
--- a/pages/site-to-site-vpn/concepts.mdx
+++ b/pages/site-to-site-vpn/concepts.mdx
@@ -11,6 +11,8 @@ dates:
An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. When creating a customer gateway, you are asked to provide its ASN, to enable dynamic routing using [BGP](#border-gateway-protocol-bgp) across the VPN. Each BGP peer must have a unique ASN to identify its routing domain.
+[Learn more about ASNs](/site-to-site-vpn/faq/#what-is-an-asn-and-why-do-i-have-to-supply-one-when-creating-a-customer-gateway).
+
## Border Gateway Protocol (BGP)
**B**order **G**ateway **P**rotocol is a standardized gateway protocol that allows autonomous systems to exchange routing information. Site-to-Site VPN uses BGP to facilitate route propagation, so that the VPC gateway and the customer gateway can learn each other's routes.
diff --git a/pages/site-to-site-vpn/faq.mdx b/pages/site-to-site-vpn/faq.mdx
index c7f7d77e1c..1aa0c37527 100644
--- a/pages/site-to-site-vpn/faq.mdx
+++ b/pages/site-to-site-vpn/faq.mdx
@@ -7,6 +7,9 @@ dates:
validation: 2025-12-05
---
+import image3 from './assets/scaleway-vpn-one-tunnel-both.webp'
+import image4 from './assets/scaleway-vpn-one-tunnel-one-type.webp'
+
## Overview
### What is Site-to-Site VPN?
@@ -29,8 +32,28 @@ No, you cannot use Site-to-Site VPN to connect two Scaleway VPCs. Watch out for
Yes, this use case is entirely possible.
+### What is an ASN and why do I have to supply one when creating a customer gateway?
+
+An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet.
+
+When [creating a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/), you are asked to provide its ASN. This is necessary for dynamic routing across the VPN using [BGP](/site-to-site-vpn/concepts/#border-gateway-protocol-bgp). Each BGP peer must have a unique ASN to identify its routing domain.
+
+The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
+
+ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`.
+
+### If I create a connection using gateways' public IPv4 addresses, does this mean the tunnel won't support IPv6 traffic?
+
+No. Be assured that IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. The public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type.
+
+The following diagram shows a connection with an IPv4 tunnel (i.e., established via the gateways' public IPv4 addresses), configured to route both types of IP traffic:
+
+
+The following diagram shows a connection with an IPv6 tunnel (i.e. established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic:
+
+
## Pricing and billing
### How much does Site-to-Site VPN cost?
-Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/) for full details.
\ No newline at end of file
+Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/#site-to-site-vpn) for full details.
\ No newline at end of file
diff --git a/pages/site-to-site-vpn/how-to/assets/scaleway-s2svpn-conceptual.webp b/pages/site-to-site-vpn/how-to/assets/scaleway-s2svpn-conceptual.webp
new file mode 100644
index 0000000000..faf2f312a8
Binary files /dev/null and b/pages/site-to-site-vpn/how-to/assets/scaleway-s2svpn-conceptual.webp differ
diff --git a/pages/site-to-site-vpn/how-to/assets/scaleway-vpn-tunnel-detail.webp b/pages/site-to-site-vpn/how-to/assets/scaleway-vpn-tunnel-detail.webp
new file mode 100644
index 0000000000..70cf772e4a
Binary files /dev/null and b/pages/site-to-site-vpn/how-to/assets/scaleway-vpn-tunnel-detail.webp differ
diff --git a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx
new file mode 100644
index 0000000000..7af8d400b6
--- /dev/null
+++ b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx
@@ -0,0 +1,118 @@
+---
+title: How to create and manage a customer gateway
+description: Learn how to create and manage a customer gateway on Scaleway to establish a Site-to-Site VPN. This guide covers setting up the gateway object, configuring ASN and public IP details, and preparing for on-premises device configuration.
+tags: site-to-site-vpn vpn customer-gateway vpn-gateway networking vpc ipsec bgp routing-policy remote-access network-infrastructure on-premises
+dates:
+ validation: 2025-12-31
+ posted: 2025-12-31
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp'
+
+A customer gateway is one of the essential building blocks of a Site-to-Site VPN. It provides the connection point on the remote side of a VPN tunnel.
+
+
+
+This document explains how to create and manage a **customer gateway** with the Scaleway console.
+
+
+A customer gateway in this context is an object representing a **real** corresponding physical (or virtual) customer gateway device on your remote infrastructure. You, as the customer, must also [set up the real customer gateway networking device](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/), which can be physical or software-based.
+
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+## How to create a customer gateway
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab, then **Create Customer gateway**. The creation wizard displays.
+
+3. **Choose a region** in which to create your customer gateway. The resource will be created in this geographical location. Customer gateways must be in the same region as the resources (VPN gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel.
+
+4. **Define connectivity parameters**, to supply Scaleway with essential details of your remote customer gateway device:
+
+ - **IP address**: Provide the public IP address(es) of your customer gateway device, used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single VPN gateway (for dual tunnels, increasing redundancy), provide an address for each IP type.
+ - **ASN**: Provide the unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks.
+
+
+ The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
+
+ ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`.
+
+
+5. **Enter a name and (optionally) tags** for the customer gateway.
+
+6. Click **Create customer gateway** to finish.
+
+Your gateway is created, and you are directed to its **Overview** page.
+
+To continue setting up a Site-to-Site VPN, [create a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) or [create a connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/).
+
+## How to view a customer gateway's details
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the customer gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+Here you can view the gateway's:
+ - Region
+ - ID
+ - ASN
+ - Public IP addresses
+ - Number of [VPN connections](/site-to-site-vpn/concepts/#connection) it is used in
+
+## How to edit a customer gateway
+
+Currently, the only parameters of a customer gateway that can be edited after creation are its **name** and **tags**.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the customer gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+4. Click the **Settings** tab.
+
+5. Make your edits as required:
+ - Click directly on the gateway's name at the top of the page to edit it.
+ - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag.
+
+## How to configure a customer gateway device
+
+Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device.
+
+Creating the customer gateway on the Scaleway side does not automatically configure the corresponding physical or virtual device. This must be set up separately by you or your network administrator to establish the Site-to-Site VPN connection.
+
+See our [dedicated page](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/) for advice on configuring your customer gateway device.
+
+## How to delete a customer gateway
+
+You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on any VPN connections linked to the customer gateway, before you can delete the gateway.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+4. Click the **Settings** tab.
+
+5. Click **Delete customer gateway**.
+
+ A pop-up displays, informing you that any [VPN connections](/site-to-site-vpn/concepts/#connection) using this gateway will be auto-deleted.
+
+ You must manually delete any other objects associated with the gateway, such as VPN gateways or routing policies, if you do not need them anymore.
+
+6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button.
+
+The gateway is deleted, and you are returned to the list of your customer gateways.
+
+
+
+
diff --git a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx
new file mode 100644
index 0000000000..0da7d3c81e
--- /dev/null
+++ b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx
@@ -0,0 +1,87 @@
+---
+title: How to create and manage routing policies
+description: Find out how to create a routing policy for your Scaleway Site-to-Site VPN. Whitelist incoming and outgoing route announcements, so that traffic can flow securely over your VPN connection.
+dates:
+ validation: 2025-12-31
+ posted: 2025-12-31
+tags: site-to-site-vpn vpn routing-policy bgp border-gateway-protocol network security vpc route-propagation ipv4 ipv6
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp'
+
+A routing policy is one of the essential building blocks of a Site-to-Site VPN:
+
+
+
+A Site-to-Site VPN connection uses [**B**order **G**ateway **P**rotocol](/site-to-site-vpn/concepts/#border-gateway-protocol-bgp) to exchange routing information between the VPN gateway on the Scaleway side, and the customer gateway on the remote side. Each side advertises IP prefixes for its own internal subnets and resources, to allow the other side to dynamically learn and update its internal routes, facilitating efficient traffic flow.
+
+However, by default, **all routes through a VPN tunnel are blocked**. You must create and attach [routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy/), to set IP prefix filters for the route advertisements you want to whitelist. This facilitates traffic flow through the VPN tunnel.
+
+A VPN connection must have a **minimum of one** and a **maximum of two** attached routing policies, one for each IP traffic type to be routed (IPv4 and/or IPv6).
+
+When creating a routing policy, you specify one or many IP ranges representing the outgoing routes to announce from the Scaleway VPN gateway, and one or many IP ranges representing the incoming route announcements to accept from the customer gateway. When [route propagation](/site-to-site-vpn/concepts/#route-propagation) is activated, the route ranges defined in the routing policy are whitelisted, and traffic can flow through the tunnel along these routes.
+
+## How to create a routing policy
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Routing policies** tab, then **Create routing policy**. The creation wizard displays.
+
+3. Choose a region for the policy. It can only be attached to VPN connections within the same region.
+
+4. Define the type of IP traffic to be covered by the routing policy.
+
+5. Whitelist the outgoing routes to allow. For each entry:
+ - Enter an IP prefix to define a range of route announcements to whitelist, e.g. `172.16.4.0/22`.
+ - Click **Add** when complete.
+
+
+ Routes within these destinations will be propagated, allowing traffic from your remote infrastructure to be routed through the VPN tunnel to your Scaleway VPN gateway. For example, adding `172.16.4.0/22` whitelists all 1,024 IPs in this block, from `172.16.4.0` to `172.16.7.255`.
+
+
+6. Whitelist the incoming routes to allow, in the same way you did for outgoing routes. Outgoing routes concern announcements to accept from the remote infrastructure. Traffic can be routed through the VPN tunnel from your Scaleway VPN gateway to your remote infrastructure along these routes.
+
+7. Enter a **name** for the policy, or leave the randomly-generated name in place. Optionally, you can also add **tags**.
+
+8. Click **Create routing policy**.
+
+The policy is created, and you are returned to the listing of your routing policies.
+
+Remember to [attach the policy to a VPN connection](/site-to-site-vpn/how-to/create-manage-routing-policy/) for it to take effect. Each VPN connection can have only one IPv4 and one IPv6 policy attached to it, but a single routing policy can be attached to multiple VPN connections.
+
+## How to edit an existing routing policy
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click on the **Routing policies** tab. A list of your routing policies displays. Use the **region selector** at the top of the page to filter for the region of the routing policy you want to edit.
+
+3. Click next to the routing policy to edit, and select **Edit** in the menu that displays.
+
+4. The **Edit routing policy** wizard displays. See the dedicated documentation on [creating and attaching a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for help with routing policies.
+
+5. Make the required edits, and click **Edit routing policy**.
+
+ A warning displays, to remind you that modifications will immediately be propagated on VPN connections using this policy.
+
+6. Click **Save**.
+
+The policy is modified and modifications are immediately applied.
+
+## How to attach a routing policy to a connection
+
+See our [dedicated documentation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-attach-or-detach-a-routing-policy).
+
+## How to delete a routing policy
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click on the **Routing policies** tab. A list of your routing policies displays. Use the **region selector** at the top of the page to filter for the region of the routing policy you want to delete.
+
+3. Click next to the routing policy to delete, and select **Delete** in the menu that displays.
+
+ A pop-up displays, informing you that this action will permanently delete the routing policy.
+
+4. Click **Delete policy** to confirm.
+
+ The routing policy is deleted, and you are returned to the **Routing policies** tab.
\ No newline at end of file
diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx
new file mode 100644
index 0000000000..eb33f0adcf
--- /dev/null
+++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx
@@ -0,0 +1,165 @@
+---
+title: How to create and manage a VPN connection
+description: Learn how to create and manage a Site-to-Site VPN connection on Scaleway, including configuring routing policies, BGP, IPsec security proposals, and activating route propagation.
+tags: site-to-site-vpn, vpn-connection, scaleway-vpn, ipsec, bgp, routing-policy, network, private-network, how-to
+dates:
+ validation: 2025-12-31
+ posted: 2025-12-31
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp'
+import bgpSessionDiagram from './assets/scaleway-vpn-tunnel-detail.webp'
+
+A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the encryption, initiation and security parameters for the VPN tunnel.
+
+
+
+This document explains how to create and manage a Site-to-Site VPN connection with the Scaleway console.
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- Created a [VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) and a [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) in the same Scaleway region
+
+## How to create a VPN connection
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your existing VPN connections displays, if you have any.
+
+2. Click **Create connection**. The creation wizard displays.
+
+3. **Choose a region** in which to create your VPN connection. The resource will be created in this geographical location. You must create the connection in the same region as the VPN gateway and customer gateway that you want to connect.
+
+4. **Choose the gateways to connect**. The connection will link the VPN gateway and customer gateways that you select here. Only gateways you have already created in the region you chose at step 3 will be displayed.
+
+ Based on the selected gateways, the **VPN tunnel details** selection panel displays.
+
+5. Select how the VPN tunnel for this connection should be established: via the gateways' **public IPv4 addresses** or their **public IPv6 addresses**.
+
+
+ - The two gateways must have at least one public IP type in common, in order to create a VPN connection between them.
+ - The IP type you select here does **not** limit both IPv4 and IPv6 traffic from being able to flow through the tunnel. [Read more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic).
+ - If both gateways have both public IP types (IPv4 and IPv6) you can create a second VPN connection between them, this time selecting the other IP type, for increased redundancy.
+
+
+6. **Specify a routing policy** for the connection (optional). The VPN connection needs a policy for each IP traffic type (IPv4, IPv6) you want it to route. These policies define the traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer.
+
+7. **Set the connection initiation policy** by selecting which gateway should initiate the VPN tunnel.
+
+
+ By default, choose the customer gateway to initiate connections if it has a stable IP and no restrictive firewall.
+
+
+8. **Select a security proposal** for this connection. The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel. For help choosing a security proposal, refer to our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/).
+
+ A pre-shared key (PSK) will be generated automatically when you create the VPN connection object. It will be securely stored in Scaleway [Secret Manager](/secret-manager), and can be retrieved for the purposes of configuring your customer gateway device. It is not currently possible to upload your own custom PSK.
+
+9. **Enter a name and (optionally) tags** for the VPN connection.
+
+10. Click **Create connection** to finish.
+
+Your connection is created, and you are directed to its **Overview** page.
+
+If the tunnel does not come up as expected, ensure you have completed all the essential [configuration steps](/site-to-site-vpn/reference-content/understanding-s2svpn/#components-and-configuration).
+
+
+## How to view a VPN connection's details
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays.
+
+Here you can view the following information:
+
+| Category | Description | Attributes |
+|---------|-------------|------------|
+| **Connection information** | Basic parameters of the connection| [Status](/site-to-site-vpn/reference-content/statuses/#connection-statuses), Region, ID, VPN gateway and customer gateways linked by the connection, IP type used to establish the tunnel (IPv4 or IPv6), Initiation policy, [Link to PSK](#), ESP proposal, IKE proposal |
+| **VPN tunnel endpoint addresses** | An encrypted VPN tunnel links the VPN gateway and customer gateway via their public IPs, as shown here | VPN gateway public IP, Customer gateway public IP |
+| **BGP sessions** | The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel. The gateways connect over this subnet to establish a BGP session and exchange routing information. For connections configured to route both IPv4 and IPv6 traffic, one subnet for each is provided. | IPv4 BGP session interconnection subnet (e.g. `169.254.10.0/31`), IPv6 BGP session interconnection subnet (e.g. `fd00:10::/127`) |
+| **Route propagation** | Activating route propagation prompts the two gateways to dynamically exchange route information over BGP, using the attached routing policies. Traffic cannot flow if route propagation is not active. The routing policy(ies) attached to the connection are displayed here. | IPv4 routing policy, IPv6 routing policy |
+
+## How to attach or detach a routing policy
+
+Routing policies define traffic that is allowed to flow through the VPN tunnel. The connection needs one attached routing policy for each IP traffic type you want it to route (IPv4 and/or IPv6). You can attach a maximum of two routing policies to a single connection (one for IPv4 and one for IPv6).
+
+Note that without an attached routing policy, no traffic can flow through the VPN tunnel. You can replace the attached routing policy/ies at any time.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays.
+
+3. In the **route propagation** panel:
+ - If no routing policy is attached, click the **+ Attach policy** button. You are prompted to select a routing policy to attach.
+ - If a routing policy is already attached, click the three dot menu next to the policy, and select either:
+ - **Replace policy**: You are prompted to select a new routing policy to replace the current one.
+ - **Edit policy**: You are directed to the **Edit** page for the currently-attached policy, where you can modify the incoming and outgoing routes to whitelist.
+ - **Detach policy**: You are prompted to confirm that you want to detach the policy from your connection.
+
+If route propagation is active, all routes whitelisted by any new policy you have attached will be immediately propagated over the VPN connection.
+
+## How to activate or deactivate route propagation
+
+You must activate route propagation for traffic to be able to flow through the VPN tunnel. Activating route propagation triggers the dynamic exchange of route information between the gateways.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays.
+
+3. In the **Route propagation** section, click **Activate propagation**.
+
+ A pop-up displays, confirming that the action will launch the BGP session(s), allowing traffic to flow through the tunnel via the routes whitelisted in the attached routing policy(ies).
+
+4. Click **Activate route propagation**.
+
+ Route propagation is activated. You are returned to your connection's overview page.
+
+ While route propagation remains active, the two gateways will dynamically exchange and update route information. Traffic can flow through the VPN tunnel along the routes whitelisted in the routing policy(ies). You can deactivate route propagation at any time: if you do so, all routes are blocked and no traffic can flow.
+
+## How to generate a new version of the PSK
+
+PSKs do not expire. However, if you delete the secret containing the PSK, or you want to change your PSK for security reasons, you can generate a new one as follows:
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Use the **region selector** at the top of the page to filter for the region of the connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays.
+
+3. In the **Connection information** panel, under **PSK**, click **Generate version**.
+
+A new version of the PSK secret is created in Scaleway Secret Manager. Ensure that you update your customer gateway device to use the new PSK.
+
+## How to edit a VPN connection's name and tags
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Use the **region selector** at the top of the page to filter for the region of the connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays.
+
+3. Click the **Settings** tab.
+
+4. Make your edits as required:
+ - Click directly on the connection's name at the top of the page to edit it.
+ - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag.
+
+## How to delete a VPN connection
+
+You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) before you can delete the connection.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Use the **region selector** at the top of the page to filter for the region of the VPN connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays.
+
+3. Click the **Settings** tab.
+
+4. Click **Delete connection**.
+
+ A pop-up displays, informing you that this action will permanently delete the connection.
+
+ The VPN gateway and customer gateways used in this connection will **not** be automatically deleted. Remember to delete them yourself if no longer needed.
+
+5. Type **DELETE** to confirm you want to proceed, then click the **Delete* button.
+
+The connection is deleted, and you are returned to the list of your VPN connections.
+
+
+
+
diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx
new file mode 100644
index 0000000000..0000192bcc
--- /dev/null
+++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx
@@ -0,0 +1,117 @@
+---
+title: How to create and manage a VPN gateway
+description: Learn how to create, configure, and manage VPN gateways on Scaleway to establish secure Site-to-Site VPN connections with your remote networks.
+tags: s2svpn vpn gateway vpn-gateway remote-access
+dates:
+ validation: 2025-12-31
+ posted: 2025-12-31
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp'
+
+A VPN gateway is one of the essential building blocks of a Site-to-Site VPN:
+
+
+
+This document explains how to create and manage a **VPN gateway** with the Scaleway console. Creating a VPN gateway is the first step to creating a working Site-to-Site VPN. It represents the VPN tunnel's endpoint on the Scaleway side of your infrastructure.
+
+For a working VPN, in addition to creating a VPN gateway, you must also create:
+
+- A **customer gateway**, your remote endpoint.
+- A **routing policy**, to control traffic flow.
+- A **VPN connection**, to join the other elements together and configure the VPN tunnel.
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+## How to create a VPN gateway
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu.
+
+2. Click the **VPN gateways** tab, then **Create VPN gateway**. The creation wizard displays.
+
+3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel.
+
+4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created.
+
+5. **Choose a gateway type**, based on bandwidth and how many [connections](/site-to-site-vpn/concepts/#connection) the gateway should be able to support.
+
+6. **Configure network connectivity** for the VPN gateway.
+ - **Attach to Private Network**: You must select a Private Network which the VPN gateway will connect to. This is not currently modifiable after gateway creation.
+ You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](/ipam/how-to/reserve-ip/).
+ - **Set up public connectivity**: Assign a public IPv4 or IPv6 address to your gateway. This will be used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single customer gateway (for dual tunnels), you must also assign a second IP address, of the IP type not used for the first address.
+
+7. **Enter a name and (optionally) tags** for the VPN gateway.
+
+8. Click **Create VPN gateway** to finish.
+
+Your gateway is created, and you are directed to its **Overview** page.
+
+To continue setting up a Site-to-Site VPN, next [create a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/).
+
+
+## How to view a VPN gateway's details
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **VPN gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+Here you can view the gateway's:
+ - [Status](/site-to-site-vpn/reference-content/statuses/#vpn-gateway-statuses)
+ - [Offer type](https://www.scaleway.com/fr/tarifs/network/#site-to-site-vpn)
+ - Availability Zone
+ - Bandwidth
+ - Number of [VPN connections](/site-to-site-vpn/concepts/#connection), compared to the total number allowed for the gateway offer type
+ - ID
+ - Attached Private Network
+ - Private and public IP addresses
+
+## How to edit a VPN gateway
+
+Currently, the only parameters of a VPN gateway that can be edited after creation are its **name** and **tags**.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **VPN gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+4. Click the **Settings** tab.
+
+5. Make your edits as required:
+ - Click directly on the gateway's name at the top of the page to edit it.
+ - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag.
+
+## How to delete a VPN gateway
+
+You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on any VPN connections linked to the VPN gateway, before you can delete gateway.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **VPN gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+4. Click the **Settings** tab.
+
+5. Click **Delete VPN gateway**.
+
+ A pop-up displays, informing you that any [VPN connections](/site-to-site-vpn/concepts/#connection) using this gateway will be auto-deleted, along with any flexible public IP addresses that you created specifically for the gateway.
+
+ You must manually delete any other objects associated with the gateway, such as customer gateways or routing policies, if you do not need them any more.
+
+ Any reserved private IPs that were used for the VPN gateway on its Private Network will remain reserved, and accessible from your IPAM management interface.
+
+
+6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button.
+
+The gateway is deleted, and you are returned to the list of your VPN gateways.
+
+
+
+
diff --git a/pages/site-to-site-vpn/how-to/index.mdx b/pages/site-to-site-vpn/how-to/index.mdx
new file mode 100644
index 0000000000..06f5046903
--- /dev/null
+++ b/pages/site-to-site-vpn/how-to/index.mdx
@@ -0,0 +1,4 @@
+---
+title: Site-to-Site VPN - How Tos
+description: Site-to-Site VPN How Tos
+---
diff --git a/pages/site-to-site-vpn/index.mdx b/pages/site-to-site-vpn/index.mdx
index 9016f15af0..e7a30997bf 100644
--- a/pages/site-to-site-vpn/index.mdx
+++ b/pages/site-to-site-vpn/index.mdx
@@ -7,7 +7,7 @@ description: Explore Scaleway Site-to-Site VPN. Connect your Scaleway VPC to you
type="note"
title="Site-to-Site VPN is in Public Beta"
>
- Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
+ Site-to-Site VPN is now available via the [Scaleway console](https://console.scaleway.com/).
@@ -29,7 +29,6 @@ description: Explore Scaleway Site-to-Site VPN. Connect your Scaleway VPC to you
label="View Doc"
url="/site-to-site-vpn/reference-content/understanding-s2svpn/"
/>
- />
-Site-to-Site VPN is currently in Public Beta, and available only via the Scaleway API. Read our API-based quickstart in the [Site-to-Site VPN API documentation](https://www.scaleway.com/en/developers/api/site-to-site-vpn/#quickstart)
-
\ No newline at end of file
+import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp'
+import Requirements from '@macros/iam/requirements.mdx'
+
+Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security ([IPsec](https://en.wikipedia.org/wiki/IPsec)).
+
+Scaleway Site-to-Site VPN consists of:
+
+- A [VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/): the connection point on the Scaleway side
+- A [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) the connection point on the remote side (representing a corresponding physical customer gateway device)
+- A [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/): defines the traffic allowed to flow through the tunnel
+- A [connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/): brings together the three above elements, and defines the encryption and configuration for the VPN tunnel
+
+You must create all of the above elements, and correctly configure your customer gateway device, for a functional Site-to-Site VPN.
+
+
+
+This document walks you through the process to create a Site-to-Site VPN in the console.
+
+
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+## How to create a VPN gateway
+
+Creating a VPN gateway is the first step in creating a Site-to-Site VPN.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu.
+
+2. Click the **VPN gateways** tab, then **Create VPN gateway**. The creation wizard displays.
+
+3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel.
+
+4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created.
+
+5. **Choose a gateway type**, based on bandwidth and how many [connections](/site-to-site-vpn/concepts/#connection) the gateway should be able to support.
+
+6. **Configure network connectivity** for the VPN gateway.
+ - **Attach to Private Network**: You must select a Private Network which the VPN gateway will connect to. This is not currently modifiable after gateway creation.
+ You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](/ipam/how-to/reserve-ip/).
+ - **Set up public connectivity**: Assign a public IPv4 or IPv6 address to your gateway. This will be used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single customer gateway (for dual tunnels), you must also assign a second IP address, of the IP type not used for the first address.
+
+7. **Enter a name and (optionally) tags** for the VPN gateway.
+
+8. Click **Create VPN gateway** to finish.
+
+Your gateway is created, and you are directed to its **Overview** page.
+
+## How to create a customer gateway
+
+The next step in creating a Site-to-Site VPN is creating a customer gateway.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab, then **Create Customer gateway**. The creation wizard displays.
+
+3. **Choose a region** in which to create your customer gateway. The resource will be created in this geographical location. Customer gateways must be in the same region as the resources (VPN gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel.
+
+4. **Define connectivity parameters**, to supply Scaleway with essential details of your remote customer gateway device:
+
+ - **IP address**: Provide the public IP address(es) of your customer gateway device, used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single VPN gateway (for dual tunnels, increasing redundancy), provide an address for each IP type.
+ - **ASN**: Provide the unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks.
+
+
+ The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
+
+ ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`.
+
+
+5. **Enter a name and (optionally) tags** for the customer gateway.
+
+6. Click **Create customer gateway** to finish.
+
+Your gateway is created, and you are directed to its **Overview** page.
+
+### How to configure a customer gateway device
+
+Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device.
+
+Creating the customer gateway on the Scaleway side does not automatically configure the corresponding physical or virtual device. This must be set up separately by you or your network administrator to establish the Site-to-Site VPN connection.
+
+See our [dedicated page](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/) for advice on configuring your customer gateway device.
+
+To continue setting up a Site-to-Site VPN, [create a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) or [create a connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/).
+
+## How to create a routing policy
+
+After creating a VPN gateway and a customer gateway, you can choose to either create a routing policy, or skip this step for now and [create a VPN connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/). If you do not create a routing policy at this stage, you must create one later, and attach it to your VPN connection, otherwise no traffic will be able to flow.
+
+[Find out more about routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy).
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Routing policies** tab, then **Create routing policy**. The creation wizard displays.
+
+3. Choose a region for the policy. It can only be attached to VPN connections within the same region.
+
+4. Define the type of IP traffic to be covered by the routing policy.
+
+5. Whitelist the outgoing routes to allow. For each entry:
+ - Enter an IP prefix to define a range of route announcements to whitelist, e.g. `172.16.4.0/22`.
+ - Click **Add** when complete.
+
+
+ Routes within these destinations will be propagated, allowing traffic from your remote infrastructure to be routed through the VPN tunnel to your Scaleway VPN gateway. For example, adding `172.16.4.0/22` whitelists all 1,024 IPs in this block, from `172.16.4.0` to `172.16.7.255`.
+
+
+6. Whitelist the incoming routes to allow, in the same way you did for outgoing routes. Outgoing routes concern announcements to accept from the remote infrastructure. Traffic can be routed through the VPN tunnel from your Scaleway VPN gateway to your remote infrastructure along these routes.
+
+7. Enter a **name** for the policy, or leave the randomly-generated name in place. Optionally, you can also add **tags**.
+
+8. Click **Create routing policy**.
+
+The policy is created, and you are returned to the listing of your routing policies.
+
+## How to create a VPN connection
+
+A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the encryption, initiation and security parameters for the VPN tunnel.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your existing VPN connections displays, if you have any.
+
+2. Click **Create connection**. The creation wizard displays.
+
+3. **Choose a region** in which to create your VPN connection. The resource will be created in this geographical location. You must create the connection in the same region as the VPN gateway and customer gateway that you want to connect.
+
+4. **Choose the gateways to connect**. The connection will link the VPN gateway and customer gateways that you select here. Only gateways you have already created in the region you chose at step 3 will be displayed.
+
+ Based on the selected gateways, the **VPN tunnel details** selection panel displays.
+
+5. Select how the VPN tunnel for this connection should be established: via the gateways' **public IPv4 addresses** or their **public IPv6 addresses**.
+
+
+ - The two gateways must have at least one public IP type in common, in order to create a VPN connection between them.
+ - The IP type you select here does **not** limit both IPv4 and IPv6 traffic from being able to flow through the tunnel. [Read more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic).
+ - If both gateways have both public IP types (IPv4 and IPv6) you can create a second VPN connection between them, this time selecting the other IP type, for increased redundancy.
+
+
+6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type (IPv4, IPv6) you want it to route. These policies define the traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer.
+
+7. **Set the connection initiation policy** by selecting which gateway should initiate the VPN tunnel.
+
+
+ By default, choose the customer gateway to initiate connections if it has a stable IP and no restrictive firewall.
+
+
+8. **Select a security proposal** for this connection. The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel. For help choosing a security proposal, refer to our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/).
+
+ A pre-shared key (PSK) will be generated automatically when you create the VPN connection object. It will be securely stored in Scaleway [Secret Manager](/secret-manager), and can be retrieved for the purposes of configuring your customer gateway device. It is not currently possible to upload your own custom PSK.
+
+9. **Enter a name and (optionally) tags** for the VPN connection.
+
+10. Click **Create connection** to finish.
+
+Your connection is created, and you are directed to its **Overview** page.
+
+## How to activate or deactivate route propagation
+
+You must activate route propagation for traffic to be able to flow through the VPN tunnel. Activating route propagation triggers the dynamic exchange of route information between the gateways.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays.
+
+3. In the **Route propagation** section, click **Activate propagation**.
+
+ A pop-up displays, confirming that the action will launch the BGP session(s), allowing traffic to flow through the tunnel via the routes whitelisted in the attached routing policy(ies).
+
+4. Click **Activate route propagation**.
+
+ Route propagation is activated. You are returned to your connection's overview page.
+
+ While route propagation remains active, the two gateways will dynamically exchange and update route information. Traffic can flow through the VPN tunnel along the routes whitelisted in the routing policy(ies). You can deactivate route propagation at any time: if you do so, all routes are blocked and no traffic can flow.
+
+ ## Troubleshooting
+
+ If the tunnel does not come up as expected, ensure you have completed all the essential [configuration steps](/site-to-site-vpn/reference-content/understanding-s2svpn/#components-and-configuration).
\ No newline at end of file
diff --git a/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx b/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx
new file mode 100644
index 0000000000..5b5c3a82f1
--- /dev/null
+++ b/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx
@@ -0,0 +1,31 @@
+---
+title: Configuring a Site-to-Site VPN customer gateway device
+description: Learn how to configure your physical or virtual customer gateway device to connect to Scaleway Site-to-Site VPN, including IPsec, BGP, pre-shared keys, and routing policies.
+tags: site-to-site-vpn, customer-gateway, ipsec, bgp, routing-policy, vpn-configuration, network-security, scaleway-vpn, how-to
+dates:
+ validation: 2025-12-21
+ posted: 2025-12-21
+---
+
+import image5 from './assets/scaleway-vpn-tunnel-detail.webp'
+
+
+Site-to-Site VPN is currently in Public Beta.
+
+
+Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device.
+
+Creating the customer gateway on the Scaleway side does not automatically configure the corresponding physical or virtual device. This must be set up separately by you or your network administrator to establish the Site-to-Site VPN connection.
+
+Wait until you have set up all elements of the Site-to-Site VPN tunnel (VPN gateway, customer gateway, routing policy and VPN connection) before configuring your device. It is only at this stage that you will have all the following parameters and details which are necessary for the configuration.
+
+- [VPN Gateway Public IP(s)](/site-to-site-vpn/how-to/create-manage-vpn-gateway/#how-to-view-a-vpn-gateways-details): The IPv4 address, IPv6 address, or both, that you configured when creating the VPN gateway.
+- [Pre-Shared Key (PSK)](/site-to-site-vpn/concepts/#pre-shared-key-psk): This is auto-generated upon creation of the connection and stored in Scaleway Secret Manager.
+- [Scaleway ASN](/site-to-site-vpn/concepts/#asn): `12876`
+- [IPsec parameters](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-view-a-vpn-connections-details) (ESP and IKE security proposals)
+- [BGP interconnection subnet](/site-to-site-vpn/concepts/#bgp-session): The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel. The gateways connect over this private subnet to establish a BGP session and exchange routing information. For connections that are configured to route both IPv4 and IPv6 traffic, one IPv4 and one IPv6 subnet will be provided. Subnet information can be accessed via the [VPN connection Overview](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-view-a-vpn-connections-details).
+
+
+- [Routing policy](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-view-a-vpn-connections-details): You must set up route announcements and filters on the customer gateway device. Take into account the routing policy(ies) you attached to the connection, when configuring routing policy on the customer gateway device.
+
+Specific instructions for configuring your customer gateway device will depend on your device model and vendor.
\ No newline at end of file
diff --git a/pages/site-to-site-vpn/reference-content/security-proposals.mdx b/pages/site-to-site-vpn/reference-content/security-proposals.mdx
index 98063a0bb3..06c3c24d3c 100644
--- a/pages/site-to-site-vpn/reference-content/security-proposals.mdx
+++ b/pages/site-to-site-vpn/reference-content/security-proposals.mdx
@@ -8,7 +8,7 @@ dates:
---
-Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
+Site-to-Site VPN is currently in Public Beta.
When creating a VPN [connection](/site-to-site-vpn/reference-content/understanding-s2svpn/#connection), you must define a **security proposal** (aka IPSec proposal). The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel.
@@ -38,7 +38,7 @@ When defining your Site-to-Site VPN security proposal, you must define the algor
|-----------------|-----------------|----------------------------------------------------|----------------------------|
| **ESP** | **Encryption** | Algorithm to encrypt traffic's data payloads | β
Yes |
| **ESP** | **Integrity** | HMAC-based algorithm to verify data payloads have not been tampered with.
Only set an HMAC integrity algorithm if **not** using an AEAD algorithm for ESP encryption (see below). Otherwise, integrity is built in, and you do not need to set an ESP integrity algorithm. | β Depends |
-| **ESP** | **Key Exchange Method** | DH group to define strength of key exchange | β No |
+| **ESP** | **Key Exchange Method** | DH group to define strength of key exchange | Optional |
## Encryption algorithms
@@ -51,7 +51,7 @@ The following encryption algorithms are available.
| `aes128gcm16` (AES-GCM) | AEAD | 128 | β
Strong | Suitable for high-performance VPNs | π Acceptable |
| `aes256ccm16` (AES-CCM) | AEAD | 256 | β
Strong | Alternative to AES-GCM, but GCM is preferred | π Acceptable |
| `aes128ccm16` (AES-CCM) | AEAD | 128 | β οΈ Medium | Alternative to AES-GCM, but GCM is preferred | π Acceptable |
-| `chacha20poly1305` | AEAD | 256 | β
Strong | Performance-sensitive (mobile, embedded), best choice for low-power devices | β
Recommended |
+| `chacha20poly1305` | AEAD | 256 | β
Very Strong | Performance-sensitive (mobile, embedded), best choice for low-power devices | β
Recommended |
| `aes256` (AES-CBC) | non-AEAD | 256 | β
Strong | Suitable for legacy VPNs. Use only with HMAC (e.g. `sha256`)| β οΈ Use with caution |
| `aes192` (AES-CBC) | non-AEAD | 192 | β οΈ Medium | Rarely used, `aes256` is preferred. | β οΈ Use with caution |
| `aes128` (AES-CBC) | non-AEAD | 128 | β οΈ Medium | Suitable for performance-sensitive VPNs, where constraints don't allow `aes256` | β οΈ Use with caution |
@@ -72,15 +72,15 @@ Integrity is based on **H**ash-based **M**essage **A**uthentication **C**ode (HM
Key exchange is **D**iffie-**H**ellman-based. The following DH groups can be set to determine the strength and performance of the key exchange:
-| DH Group | Bit Size | Security Level | Use Case | Recommended? |
-|------------------------|-----------|-----------------|------------------------------------------------------------------|------------------|
-| `ecp521` | 521 | β
Very Strong | Suitable for high security environments. May be overkill (lowers performance). |π Acceptable |
-| `ecp384` | 384 | β
Strong | Both strong and fast. **Our top choice for modern VPNs.** |β
Recommended |
-| `ecp256` | 256 | β
Strong | Suitable for performance-sensitive VPNs. |β
Recommended |
-| `curve25519` (X25519) | 256 | β
Very Strong | Both strong and fast. **Our top choice for performance**. |β
Recommended |
-| `modp4096` | 4096 | β
Strong | Strong but slow. May be suitable for legacy VPNs. |π Acceptable |
-| `modp3072` | 3072 | β
Medium-Strong | May be suitable for legacy VPNs. |π Acceptable |
-| `modp2048` | 2048 | β οΈ Minimum | Use for older VPNs only if absolutely needed. |β οΈ Use with caution |
+| DH Group | [IANA](https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8) | Bit Size | Security Level | Use Case | Recommended? |
+|------------------------|------|-----------|-----------------|------------------------------------------------------------------|------------------|
+| `ecp521` | 21 | 521 | β
Very Strong | Suitable for high security environments. May be overkill (lowers performance). |π Acceptable |
+| `ecp384` | 20 | 384 | β
Strong | Both strong and fast. **Our top choice for modern VPNs.** |β
Recommended |
+| `ecp256` | 19 | 256 | β
Strong | Suitable for performance-sensitive VPNs. |β
Recommended |
+| `curve25519` (X25519) | 31 | 256 | β
Very Strong | Both strong and fast. **Our top choice for performance**. |β
Recommended |
+| `modp4096` | 16 | 4096 | β
Strong | Strong but slow. May be suitable for legacy VPNs. |π Acceptable |
+| `modp3072` | 15 | 3072 | β
Medium-Strong | May be suitable for legacy VPNs. |π Acceptable |
+| `modp2048` | 14 | 2048 | β οΈ Minimum | Use for older VPNs only if absolutely needed. |β οΈ Use with caution |
## Standard recommendation
@@ -88,4 +88,4 @@ For standard usage on modern equipment we recommend the following security propo
| IKEv2 Encryption | IKEv2 Integrity | IKEv2 Key Exchange | ESP Encryption | ESP Integrity | ESP Key Exchange |
|------------------|-----------------|--------------------|----------------|---------------|------------------|
-| `aes256gcm16` | not required | `curve25519` | `aes256gcm16` | not required | not required |
\ No newline at end of file
+| `aes256gcm16` | not required | `curve25519` | `aes256gcm16` | not required | `curve25519` |
\ No newline at end of file
diff --git a/pages/site-to-site-vpn/reference-content/statuses.mdx b/pages/site-to-site-vpn/reference-content/statuses.mdx
index b560e620f6..c0bdb0c889 100644
--- a/pages/site-to-site-vpn/reference-content/statuses.mdx
+++ b/pages/site-to-site-vpn/reference-content/statuses.mdx
@@ -8,7 +8,7 @@ dates:
---
-Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
+Site-to-Site VPN is currently in Public Beta.
## VPN gateway statuses
diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx
index c8c1881246..418bc817bd 100644
--- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx
+++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx
@@ -3,167 +3,132 @@ title: Understanding Site-to-Site VPN
description: Dive deeper into understanding Scaleway's Site-to-Site VPN offer, with technical diagrams, explanations and more.
tags: vpn gateway customer infrastructure connection encryption
dates:
- validation: 2025-06-03
+ validation: 2025-12-31
posted: 2025-06-03
---
import image1 from './assets/scaleway-s2svpn-conceptual.webp'
-import image3 from './assets/scaleway-vpn-one-tunnel-both.webp'
-import image4 from './assets/scaleway-vpn-one-tunnel-one-type.webp'
-import image5 from './assets/scaleway-vpn-tunnel-detail.webp'
-
-Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
+Site-to-Site VPN is currently in Public Beta.
-## Site-to-Site VPN overview
+This document covers the features, use cases, pricing and technical details of Site-to-Site VPN.
-Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security ([IPsec](https://en.wikipedia.org/wiki/IPsec)).
+## Overview
-## Components of Site-to-Site VPN
+Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security ([IPsec](https://en.wikipedia.org/wiki/IPsec)).
Scaleway Site-to-Site VPN consists of:
-- A **VPN gateway**: the connection point on the Scaleway side
-- A **customer gateway**: the connection point on the remote side (representing a corresponding physical customer gateway device)
-- A **routing policy**: defines the traffic allowed to flow through the tunnel
-- A **connection**: brings together the three above elements, and defines the configuration for the VPN tunnel
+- A [VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/): the connection point on the Scaleway side
+- A [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/): the connection point on the remote side (representing a corresponding physical customer gateway device)
+- A [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/): defines the traffic allowed to flow through the tunnel
+- A [connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/): brings together the three above elements, and defines the encryption and configuration for the VPN tunnel
You must create all of the above elements, and correctly configure your customer gateway device, for a functional Site-to-Site VPN.
-### VPN gateway
-
-The VPN gateway provides a connection point on the Scaleway side of a Site-to-Site VPN tunnel. It has the following properties, which you can customize when you create the gateway:
-
-- **Region**: The geographical location in which the gateway is created. It must be in the same region as the other Site-to-Site VPN resources (customer gateways, routing policies, connections) that you want to use it with.
-- **Name** and (optionally) **tags**: A name and tags to identify the gateway.
-- **Gateway type**: Different gateway types are available for different prices. Pricing is based on **bandwidth**, and the **maximum number of connections** the gateway can be used for.
-- **Private Network**: Each gateway must be attached to a single Scaleway Private Network. The network chosen cannot be modified after creation of the gateway. The gateway will get both an IPv4 and IPv6 address on the Private Network. Other Private Networks in the VPC will be able to learn the route through the VPN gateway.
-- **Public IP address(es)**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 /32 and one IPv6 /128 address per gateway. VPN gateways with both types of IP will be able to support two connections to a single customer gateway, corresponding to one IPv4 tunnel and one IPv6 tunnel, providing increased redundancy.
-
-### Customer gateway
-
-The customer gateway provides a connection point on the customer (remote) side of a Site-to-Site VPN tunnel. It is the logical representation of a real **customer gateway device**, a physical or software-based networking device.
-
-A customer gateway has the following properties, which you can customize when you create the gateway:
-
-- **Region**: The geographical location in which the gateway object is created. It must be in the same region as the other Site-to-Site VPN resources (VPN gateways, routing policies, connections) that you want to use it with.
-- **Name** and (optionally) **tags**: A name and tags to identify the gateway.
-
-The rest of the properties **must** correspond to the real properties of the corresponding real customer gateway device:
-
-- **Public IP address**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 and one IPv6 address per gateway. Customer gateways with both types of IP will be able to support two connections to a single VPN gateway, corresponding to one IPv4 tunnel and one IPv6 tunnel, providing increased redundancy.
+### Encrypted network interconnection with IPsec
-- **Autonomous System Number (ASN)**: The unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks.
+Site-to-Site VPN enables encrypted connections between your Scaleway VPC and remote networks, whether that is your on-premises infrastructure, a remote office, or even a VPC in another cloud provider.
-
-The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
-
-ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`.
-
+Site-to-Site VPN's secure tunnel is secured using **IPsec** (Internet Protocol Security), a robust suite of protocols that ensures data confidentiality, integrity, and authentication across untrusted networks like the internet.
-### Routing policy
+You can define your own [IPsec security proposals](/site-to-site-vpn/reference-content/security-proposals/) to control exactly which encryption and authentication methods are used to secure the tunnel, giving you fine-grained control over the balance between security, performance, and compatibility. Scaleway supports a wide selection of modern cryptographic options across key protocols like **IKEv2** (used for secure key exchange and tunnel negotiation) and **ESP** (which encrypts and authenticates the actual data payloads). This flexibility ensures your Site-to-Site VPN can integrate smoothly with diverse networking equipment while maintaining the right level of security and performance for your use case.
-By default, when you create a VPN connection, all routes across it are blocked. You must create and attach a routing policy for the connection, which sets filters for the IP prefixes to allow.
+### High availability with multi-AZ gateway redundancy and dual tunnels
-A VPN connection must have a **minimum of one** and a **maximum of two** attached routing policies, one for each IP traffic type to be routed (IPv4 and/or IPv6).
+Ensure high availability by deploying two VPN gateways across separate Availability Zones (AZs) and establishing redundant tunnels for resilient connectivity. This architecture - aligned with Scalewayβs SLAs - provides failover protection against AZ outages. For maximum resilience, assign both a public IPv4 and IPv6 address to each gateway, then [create two connections](/site-to-site-vpn/how-to/create-manage-vpn-connection/): one using IPv4 addresses, the other IPv6. This delivers two layers of redundancy: first at the infrastructure level (gateways in different AZs), and second at the connectivity level (dual-stack tunnels).
-A routing policy has the following properties, which you can customize when you create the policy:
+Note that the tunnelβs IP version does not limit traffic type: IPv6 traffic can flow over an IPv4-established tunnel, and vice versa. YThe public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type. [Learn more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic).
-- **Region**: The geographical location in which the routing policy is created. It must be in the same region as the other Site-to-Site VPN resources (VPN gateways, customer gateways, connections) that you want to use it with.
-- **Traffic type**: IPv4 or IPv6. If a VPN connection is to support both IPv4 and IPv6 traffic, it needs one routing policy per traffic type.
-- **Name** and (optionally) **tags**: A name and tags to identify the policy.
+### Dynamic routing with BGP integration
-You can whitelist multiple **outgoing routes** and multiple **incoming routes** per policy.
+Site-to-Site VPN integrates the **B**order **G**ateway **P**rotocol (**BGP**) to allow dynamic route exchange between the remote network and Scaleway. Via BGP, the VPN gateway and the customer gateway can automatically exchange routing information, each advertising the IP prefixes of their respective internal subnets. This dynamic communication ensures that both sides are always aware of reachable destinations, allowing traffic to be routed efficiently across the tunnel as network conditions or topologies change.
-- **Outgoing routes** are the IP prefixes that define ranges of Scaleway VPC route announcements to whitelist. Routes within these destinations will be propagated, allowing traffic from the remote gateway to be routed via the VPN to your VPC.
-- **Incoming routes** are the IP prefixes that define ranges of route announcements from the customer gateway to whitelist. Routes towards these destinations will be propagated, allowing traffic from the Scaleway VPC to be routed via the VPN to your remote infrastructure.
+Note that by default, **all routes through a VPN tunnel are blocked**. This is a security measure to prevent unintended traffic flow. You must explicitly define and attach a [routing policy](/site-to-site-vpn/concepts/#routing-policy) to each VPN connection, which acts as a filter to whitelist specific route announcements and allow controlled routing through the VPN tunnel. Each routing policy lets you specify outbound routes (prefixes from your Scaleway VPC that you want to advertise to the remote side) and inbound routes (prefixes from the remote network that you want to accept and route through the tunnel). One routing policy per IP family (IPv4 and/or IPv6) is required per connection.
-### Connection
+After attaching routing policies, you can then [activate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on the VPN connection. When activated, the gateways establish a BGP peering session, dynamically sharing only the prefixes defined in the routing policy, thereby enabling secure and selective connectivity. This design gives you granular control over traffic flow while maintaining strong security and operational flexibility.
-A connection represents the configuration of a secure link between a VPN gateway and a customer gateway. It defines all the characteristics of the Site-to-Site VPN tunnel, including routing policy and encryption method.
+## Use cases
-A connection has the following properties, which you can customize when you create the policy:
+| Use case | Description |
+|----------------------------------------------------------|-----------------------------------|
+| **Connect on-premises infrastructure to your Scaleway VPC** | Securely extend your local data center or office network into your Scaleway VPC using an encrypted Site-to-Site VPN tunnel. This enables smooth access to cloud resources as if they were part of your internal network, supporting hybrid cloud architectures with consistent routing and security policies. |
+| **Connect your Scaleway VPC to infra in other clouds** | Establish a controlled and encrypted connection from your Scaleway VPC to your infrastructure hosted by other cloud providers. By defining strict routing policies and using IPsec encryption, you ensure only authorized traffic flows between networks, maintaining security and compliance while supporting multi-cloud architectures. |
-- **Region**: The geographical location in which the connection is created. It must be in the same region as the other Site-to-Site VPN resources (VPN gateways, customer gateways, routing policies) that it uses.
-- **Name** and (optionally) **tags**: A name and tags to identify the policy.
-- **VPN gateway**: The VPN gateway to use for the connection.
-- **Customer gateway**: The customer gateway to use for the connection. It must have at least one public IP type in common with the VPN gateway (IPv4 and/or IPv6).
-- **Tunnel details**: Based on the gateways selected, you may need to define how the connection should establish the VPN tunnel between them.
- - If both gateways have public IPv4 and public IPv6 addresses, you must explicitly choose the IP type (IPv4 or IPv6) to be used for the tunnel.
- - If the gateways share only one public IP type, that IP type will be used automatically for the tunnel.
- - A maximum of two connections can be created between the same gateway pair: one with an IPv4 tunnel and one with an IPv6 tunnel. Creating two connections/tunnels per gateway pair increases redundancy. Once an IPv4 tunnel is created, only one additional IPv6 tunnel can be established, and vice versa. No further connections are permitted beyond this limit.
-
-- **Routing policy(ies)**: For each traffic type (IPv4 and/or IPv6) to be routed over the connection, an associated routing policy must be attached (see [above](#routing-policy)).
+## Technical info: requirements and availability
-
- IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. You can still attach an IPv4 and an IPv6 routing policy to your VPN connection to allow routing of both types of traffic, even if it only has an IPv4 tunnel.
-
+### Requirements
- The following diagram shows a connection with an IPv4 tunnel (i.e., established via the gateways' public IPv4 addresses), configured to route both types of IP traffic:
-
+Before creating a Site-to-Site VPN connection, ensure you have already:
- The following diagram shows a connection with an IPv6 tunnel (i.e. established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic:
-
-
+- [Created a Scaleway account](/account/how-to/create-an-account/) and [added a payment method](/account/how-to/create-an-account/#add-your-payment-method)
+- [Created a Scaleway VPC](/vpc/how-to/create-vpc/) and [created a Private Network](/vpc/how-to/create-private-network/) within it
+- Provisioned a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC, to act as your [customer gateway device](/site-to-site-vpn/concepts/#customer-gateway-device)
-- **Connection initiation policy**: Which gateway should initiate the tunnel. This can be either the VPN gateway, or the customer gateway. The chosen gateway will be responsible for kicking off the secure exchange that sets up the IPsec tunnel.
+### Components and configuration
-- **Security proposal**: Defines the encryption and authentication methods used to secure the VPN tunnel. For full details on available security proposals, see our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/).
+In order to create a working Site-to-Site VPN connection, you must:
-- **Pre-shared key (PSK)**: Generated automatically when you create the connection object. It is securely stored in [Scaleway Secret Manager](/secret-manager/), and can be retrieved for the purposes of configuring your customer gateway device. For now, it is not possible to customize the PSK. You must use the auto-generated one.
+1. [Create a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) and a [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) in the same Scaleway region.
+2. [Create a VPN connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/), selecting the VPN gateway and customer gateway pair to connect, and defining encryption and initiation parameters for the tunnel.
+3. [Create a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) defining the incoming and outgoing route advertisements to allow over the connection, then [attach this policy](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-attach-or-detach-a-routing-policy) to the connection. If you want the connection's tunnel to support both IPv4 and IPv6 traffic, attach one routing policy for each IP type.
+4. [Configure your customer gateway device](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/) so that it correctly supports the VPN tunnel from its side.
+5. [Activate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on the VPN connection to trigger the dynamic exchange of route information between the gateways, and allow traffic to flow through the VPN tunnel.
-## Configuring your customer gateway device
+You can verify whether the Site-to-Site VPN is functioning as it should by checking the [status](/site-to-site-vpn/reference-content/statuses/) of its various components.
-After creating your Site-to-Site VPN [connection](#connection), you are prompted to configure your customer gateway device.
+### Availability
-Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device.
+Site-to-Site VPN is available in multiple different Regions and Availability Zones. For the most up-to-date information, check out the [Scaleway console](https://console.scaleway.com/s2s-vpn/fr-par/vpn-gateways) or the [Product Availability page](/account/reference-content/products-availability/).
-Scaleway cannot configure your device for you. In order to successfully complete the setup of your Site-to-Site VPN, you must configure the device yourself. You will need the following information, which is available from the API:
+## Limitations and compatibility
-- **Public IP address(es) of the VPN gateway**: The IPv4 address, IPv6 address, or both, that you configured when creating the VPN gateway.
-- **Scaleway ASN**: 12876
-- **Pre-shared key**: Auto-generated for you upon creation of the connection, and stored in Scaleway Secret Manager
+Site-to-Site VPN is currently in Public Beta. The following limitations apply:
-You also need to set up route announcements and filters on the customer side. For this, you will need the following information:
+- You cannot use Site-to-Site VPN to connect two Scaleway VPCs
+- You cannot modify the Private Network that a VPN is connected to after creation
+- You must use the auto-generated pre-shared key (PSK) for a VPN connection: you cannot currently define your own PSK
+- We cannot currently provide a configuration file for customer gateway devices
-- **BGP interconnection subnet(s)**: The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel. The gateways connect over this private subnet to establish a BGP session and exchange routing information. For connections that are configured to route both IPv4 and IPv6 traffic, one IPv4 and one IPv6 subnet will be provided. Subnet information can be accessed via the API.
+## Pricing
-
+Site-to-Site VPN is priced at an hourly rate. The rate differs based on the VPN gateway offer type that you choose. The following two elements of each offer type influence the hourly rate:
-- **Routing policy**: Take into account the routing policy(ies) you attached to the connection, when configuring routing policy on the customer gateway device.
+- **Bandwidth**, i.e. the maximum data transfer capacity the gateway can handle at any given time. The higher the bandwidth capacity, the higher the hourly rate.
+- **Max connections**, i.e. the maximum number of VPN connections the gateway can be used for. The more connections, the higher the hourly rate.
-### BGP communities
+It is currently not possible to upgrade a VPN gateway to a more powerful offer type after creation.
-You can influence routing between the various Site-to-Site VPNs in a VPC, for traffic flowing from Scaleway to your external network, by using BGP communities.
+You are billed for a VPN gateway from the moment you create it, until you delete it. You can [delete a VPN gateway](https://www.scaleway.com/en/pricing/network/#site-to-site-vpn) at any time.
-Refer to the BGP community documentation for [InterLink](/interlink/reference-content/bgp-communities/) for details - the same information applies for Site-to-Site VPN. Note that by default, InterLink takes priority over Site-to-Site VPN for equivalent routes.
+Note that:
+- The public IP4 address attached to a VPN gateway incurs a separate charge, with its own hourly rate.
+- The auto-generated [PSK](/site-to-site-vpn/concepts/#pre-shared-key-psk) for a VPN connection incurs a separate storage charge from Scaleway Secret Manager, with its own hourly rate.
-## Activating route propagation
+For full pricing details, see our [dedicated pricing page](https://www.scaleway.com/en/pricing/network/#public-gateway).
-The final step in allowing traffic to flow over your Site-to-Site VPN, is to activate route propagation. This enables all the allowed prefixes defined in the routing policy to be announced in the BGP session. Traffic cannot flow over the VPN when route propagation is not activated.
+## Features
-Activate route propagation via the dedicated call in the API.
+Site-to-Site VPN offers the following features:
-## Monitoring connection status
+- **Customizable routing policies (create and attach routing rules)** β Define which IP prefixes are allowed for inbound and outbound route advertisement. Each policy filters traffic by source and destination ranges, ensuring only authorized subnets are reachable over the VPN tunnel.
-Once you have created your Site-to-Site VPN connection, and configured your customer gateway device, monitor the status of your connection. If your device is successfully configured, and the connection is working, the status should be **Active**.
+- **BGP-based dynamic routing (enable/disable route propagation)** β Dynamically exchange routing information between the VPN gateway and customer gateway using BGP. Activate route propagation to initiate the BGP session(s) and enable traffic flow based on attached routing policies.
-See our dedicated [status documentation](/site-to-site-vpn/reference-content/statuses/) for full information on different statuses for the VPN gateway and connection, and how to troubleshoot them.
+- **Flexible IPsec security proposals (customizable encryption)** β Tailor the security of your VPN tunnel by selecting specific encryption, integrity, and key exchange algorithms, balancing security, performance, and compatibility with your customer gateway.
-## VPC routing
+- **Dual-tunnel support for high availability** β Create two connections between the same VPN gateway / customer gateway pair to establish dual tunnels for redundancy, ensuring continuous connectivity during network failovers or maintenance.
-Routes to your Site-to-Site VPN gateway are automatically added to your VPC's [route table](/vpc/concepts/#route-table), and advertised to all Private Networks within the VPC. This allows all resources within your VPC to find the route through the VPN tunnel, to your remote infrastructure.
+## Going further
-Use [Network ACLs](/vpc/reference-content/understanding-nacls/) if you want to limit the resources that route traffic through the VPN gateway.
+Ready to get started with Site-to-Site VPN? Check out these pages:
-## Site-to-Site VPN limitations
+- [Site-to-Site VPN Quickstart](/site-to-site-vpn/quickstart/) - Learn how to set up and configure your Site-to-Site VPN via the Scaleway console.
+- [Site-to-Site VPN API Reference](https://www.scaleway.com/en/developers/api/site-to-site-vpn/) - Full documentation for managing Site-to-Site VPNs via the Scaleway API
+- [Site-to-Site VPN Terraform Documentation](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/s2s_vpn_connection) - Integrate Site-to-Site VPN into your infrastructure as code with the Scaleway Terraform Provider.
+- [Site-to-Site VPN FAQ](/site-to-site-vpn/faq/) - Get answers to the most frequently asked questions about the Site-to-Site VPN.
-- Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
-- You cannot use Site-to-Site VPN to connect two Scaleway VPCs
-- You cannot modify the Private Network that a VPN is connected to after creation
-- You must use the auto-generated pre-shared key (PSK) for a VPN connection: you cannot currently define your own PSK
-- We cannot currently provide a configuration file for customer gateway devices