feat(s2svpn): add public beta doc (#5901)

RoRoJ · web-flow · commit 5db01c5f6a50 · 2025-12-11T16:53:44.000+01:00
* feat(s2svpn): public beta

* feat(s2svpn): finished public beta doc

* fix(s2svpn): fix

* fix(s2svpn): corrected index

* fix(vpn): add info

* fix(s2svpn): fix missing info
diff --git a/menu/navigation.ts b/menu/navigation.ts
@@ -58,6 +58,7 @@ import { serverlessContainersMenu } from "../pages/serverless-containers/menu"
 import { serverlessFunctionsMenu } from "../pages/serverless-functions/menu"
 import { serverlessJobsMenu } from "../pages/serverless-jobs/menu"
 import { serverlessSqlDatabasesMenu } from "../pages/serverless-sql-databases/menu"
+import { siteToSiteVpnMenu } from "../pages/site-to-site-vpn/menu"
 import { terraformMenu } from "../pages/terraform/menu"
 import { topicsAndEventsMenu } from "../pages/topics-and-events/menu"
 import { transactionalEmailMenu } from "../pages/transactional-email/menu"
@@ -208,6 +209,7 @@ export default [
           ipamMenu,
           loadBalancerMenu,
           publicGatewaysMenu,
+          siteToSiteVpnMenu,
           vpcMenu,
         ],
         label: 'Network',
diff --git a/pages/site-to-site-vpn/concepts.mdx b/pages/site-to-site-vpn/concepts.mdx
@@ -0,0 +1,64 @@
+---
+title: Site-to-Site VPN - Concepts
+description: Understand the core concepts behind Scaleway's Site-to-Site VPN, including VPN and customer gateways, security proposals, routing policies and more.
+tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy
+dates:
+  creation: 2025-12-05
+  validation: 2025-12-05
+---
+
+## ASN
+
+An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. When creating a customer gateway, you are asked to provide its ASN, to enable dynamic routing using [BGP](#bgp) across the VPN. Each BGP peer must have a unique ASN to identify its routing domain.
+
+## Border Gateway Protocol (BGP)
+
+**B**order **G**ateway **P**rotocol is a standardized gateway protocol that allows autonomous systems to exchange routing information. Site-to-Site VPN uses BGP to facilitate route propagation, so that the VPC gateway and the customer gateway can learn each other's routes.
+
+## BGP session
+
+A BGP session is a dynamic routing connection between a customer gateway and a VPN gateway. It uses the **B**order **G**ateway **P**rotocol to exchange routing information in real time. It enables automatic updates to network paths, ensuring resilient and adaptive communication across a site-to-site VPN tunnel.
+
+## Connection
+
+A connection represents the configuration of a secure link between a VPN gateway and a customer gateway. It defines all the characteristics of the Site-to-Site VPN tunnel between the two, including routing policy and encryption method.
+
+## Customer gateway
+
+A customer gateway is a logical resource representing the physical or virtual gateway device on the customer (remote) side of a Site-to-Site VPN tunnel. 
+
+## Customer gateway device
+
+A customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device.
+
+## IPsec
+
+**I**nternet **P**rotocol **Sec**urity (IPsec) is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a data stream. In the context of Scaleway Site-to-Site VPN, IPsec provides end-to-end security for traffic flowing through the VPN tunnel between a VPN gateway and a customer gateway.
+
+## Pre-shared key (PSK)
+
+A pre-shared key (PSK) is a shared secret string, generated by Scaleway and known by both the VPN gateway and customer gateway. It is used to verify the identity of both gateways and establish secure, encrypted communication between them. Each PSK generated for Site-to-Site VPN is securely stored in [Scaleway Secret Manager](/secret-manager/).
+
+## Routing policy
+
+By default, all routes across a VPN connection are blocked. A routing policy allows you to set filters to define the IP prefixes to allow. You can whitelist multiple outgoing routes and multiple incoming routes per policy.
+
+## Route propagation
+
+Route propagation can be activated or deactivated on each VPN connection. When activated, route propagation launches BGP sessions, so the customer gateway and VPN gateway can dynamically exchange route information using the attached routing policies. This allows traffic to flow over the connection. When route propagation is deactivated, no traffic can flow.
+
+## Security proposal
+
+A security proposal (aka IPSec proposal) defines the encryption and authentication methods used to secure an IPSec VPN tunnel. You must define a security proposal when creating a VPN [connection](#connection).
+
+## Site-to-Site VPN
+
+Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security (IPsec).
+
+## Tunnel
+
+A VPN connection creates a VPN tunnel between a customer gateway and a VPN gateway. This tunnel is established between the two gateways' public IPv4 or IPv6 addresses. The tunnel is secured with IPsec, and traffic can securely flow through it.
+
+## VPN gateway
+
+A VPN gateway is a managed resource that acts as a connection point on the Scaleway side of your Site-to-Site VPN tunnel. Each [connection](#connection) within the gateway represents an IPsec tunnel towards a [customer gateway](#customer-gateway), established over the public internet. A single VPN gateway can host multiple connections.
diff --git a/pages/site-to-site-vpn/faq.mdx b/pages/site-to-site-vpn/faq.mdx
@@ -0,0 +1,36 @@
+---
+title: Site-to-Site VPN - FAQ
+description: Find answers to frequently asked questions about Scaleway Site-to-Site VPN, including setup, troubleshooting, compatibility, and best practices for secure, reliable connectivity.
+tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy
+dates:
+  creation: 2025-12-05
+  validation: 2025-12-05
+---
+
+## Overview
+
+### What is Site-to-Site VPN?
+
+Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa.
+
+## Specifications
+
+### How are Site-to-Site VPN tunnels encrypted?
+
+Site-to-Site VPN connections are secured with Internet Protocol security (IPsec). When creating a VPN [connection](/site-to-site-vpn/reference-content/understanding-s2svpn/#connection), you are prompted to define a **security proposal** (aka IPSec proposal) which defines the precise encryption and authentication methods to secure the tunnel. Read more about security proposals and encryption in our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/).
+
+## Compatibility and integration
+
+### Can I use Site-to-Site VPN to connect two Scaleway VPCs?
+
+No, you cannot use Site-to-Site VPN to connect two Scaleway VPCs. Watch out for our upcoming VPC peering solution for this functionality.
+
+### Can I use Site-to-Site VPN to connect my Scaleway VPN to another cloud provider?
+
+Yes, this use case is entirely possible.
+
+## Pricing and billing
+
+### How much does Site-to-Site VPN cost?
+
+Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/) for full details.
diff --git a/pages/site-to-site-vpn/index.mdx b/pages/site-to-site-vpn/index.mdx
@@ -1,20 +1,19 @@
 ---
 title: Site-to-Site VPN Documentation
 description: Explore Scaleway Site-to-Site VPN. Connect your Scaleway VPC to your remote infrastructure, via an encrypted, private VPN tunnel.
-noindex: true
 ---
 
 <Message
   type="note"
-  title="Site-to-Site VPN is in Private Beta"
+  title="Site-to-Site VPN is in Public Beta"
 >
-  Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn).
+  Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
 </Message>
 
 
 <ProductHeader 
    productName="Site-to-Site VPN"
-   productLogo="sns"
+   productLogo="vpn"
    description="Securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private tunnel."
    url="/site-to-site-vpn/reference-content/understanding-s2svpn/"
    label="Understanding Site-to-Site VPN"
@@ -29,6 +28,14 @@ noindex: true
         description="Learn how to start using Site-to-Site VPN"
         label="View Doc"
         url="/site-to-site-vpn/reference-content/understanding-s2svpn/"
+    />
+        />
+        <SummaryCard
+        title="Quickstart"
+        icon="rocket"
+        description="Learn how to get started with Site-to-Site VPN"
+        label="View Doc"
+        url="/site-to-site-vpn/quickstart/"
     />
     <SummaryCard
         title="Site-to-Site VPN statuses"
diff --git a/pages/site-to-site-vpn/menu.ts b/pages/site-to-site-vpn/menu.ts
@@ -0,0 +1,50 @@
+export const siteToSiteVpnMenu = {
+  items: [
+    {
+      label: 'Overview',
+      slug: '../site-to-site-vpn',
+    },
+    {
+      label: 'Concepts',
+      slug: 'concepts',
+    },
+    {
+      label: 'Quickstart',
+      slug: 'quickstart',
+    },
+    {
+      label: 'FAQ',
+      slug: 'faq',
+    },
+    {
+      items: [
+        {
+          label: 'Site-to-Site VPN API Reference',
+          slug: 'https://www.scaleway.com/en/developers/api/site-to-site-vpn/',
+        }
+      ],
+      label: 'API/CLI',
+      slug: 'api-cli',
+    },
+    {
+      items: [
+        {
+          label: 'Understanding Site-to-Site VPN',
+          slug: 'understanding-s2svpn',
+        },
+        {
+          label: 'Site-to-Site VPN Security proposals',
+          slug: 'security-proposals',
+        },
+        {
+          label: 'Site-to-Site VPN Statuses',
+          slug: 'statuses',
+        },
+      ],
+      label: 'Additional Content',
+      slug: 'reference-content',
+    }
+  ],
+  label: 'Site-to-Site VPN',
+  slug: 'site-to-site-vpn',
+}
diff --git a/pages/site-to-site-vpn/quickstart.mdx b/pages/site-to-site-vpn/quickstart.mdx
@@ -0,0 +1,12 @@
+---
+title: Site-to-Site VPN - Quickstart
+description: Get started quickly with Scaleway Site-to-Site VPN. Follow our step-by-step guide to configure and deploy a secure connection between your network and Scaleway VPC in minutes.
+tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy
+dates:
+  creation: 2025-12-05
+  validation: 2025-12-05
+---
+
+<Message type="note">
+Site-to-Site VPN is currently in Public Beta, and available only via the Scaleway API. Read our API-based quickstart in the [Site-to-Site VPN API documentation](https://www.scaleway.com/en/developers/api/site-to-site-vpn/#quickstart)
+</Message>
diff --git a/pages/site-to-site-vpn/reference-content/index.mdx b/pages/site-to-site-vpn/reference-content/index.mdx
@@ -1,5 +1,4 @@
 ---
 title: Site-to-Site VPN - Additional content
 description: Site-to-Site VPN additional content
-noindex: true
 ---
diff --git a/pages/site-to-site-vpn/reference-content/security-proposals.mdx b/pages/site-to-site-vpn/reference-content/security-proposals.mdx
@@ -1,15 +1,14 @@
 ---
 title: Site-to-Site VPN security proposals
 description: Find out what the different encryption and authentication ciphers available with Scaleway Site-to-Site VPN, and how to to choose the best algorithm for your use case.
-noindex: true
 tags: vpn connection encryption authentication security cipher security-proposal
 dates:
   validation: 2025-06-03
   posted: 2025-06-03
 ---
 
 <Message type="note">
-Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn).
+Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
 </Message>
 
 When creating a VPN [connection](/site-to-site-vpn/reference-content/understanding-s2svpn/#connection), you must define a **security proposal** (aka IPSec proposal). The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel.
diff --git a/pages/site-to-site-vpn/reference-content/statuses.mdx b/pages/site-to-site-vpn/reference-content/statuses.mdx
@@ -1,15 +1,14 @@
 ---
 title: Understanding Site-to-Site VPN statuses
 description: Find out what the different possible statuses of your Site-to-Site VPN gateways and connections mean, and how to take action based on these statuses when necessary.
-noindex: true
 tags: vpn gateway customer remote connection status
 dates:
   validation: 2025-06-03
   posted: 2025-06-03
 ---
 
 <Message type="note">
-Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn).
+Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
 </Message>
 
 ## VPN gateway statuses
@@ -29,7 +28,7 @@ This section explains the different statuses possible for a VPN gateway, and how
 
 ## Connection statuses
 
-A Site-to-Site VPN connection also always has a **status**, separate to that of the VPN gateway which can be retrieved via the API using the **Get a connection** call.
+A Site-to-Site VPN connection also always has a **status**, separate to that of the VPN gateway which can be retrieved via the API using the **Get a connection** call. The connnection status is based on the [tunnel status](#tunnel-statuses), [BGP session status](#bgp-session-statuses), and attachment of a [routing policy](/site-to-site-vpn/concepts/#routing-policy).
 
 This section explains the different statuses possible for a connection, and how to understand them.
 
@@ -39,4 +38,31 @@ This section explains the different statuses possible for a connection, and how
 | **Active**             | The connection has been created, and all expected BGP session(s) between the two gateways are up. Traffic can flow through the connection's tunnel. |
 | **Limited connectivity**   | The connection has been created, but IP connectivity is limited. This may be the case if the connection has both an IPv4 and an IPv6 routing policy attached, but only one of the two associated BGP sessions is up.|
 | **Down**       | The connection has been created, but no BGP sessions (neither IPv4 not IPv6) are up, and without route announcements no traffic can flow through the tunnel.|
-| **Locked**             | The connection has been locked by the Trust and Safety team. You cannot carry out any actions on the connection. Open a support ticket. |
+| **Locked**             | The connection has been locked by the Trust and Safety team. You cannot carry out any actions on the connection. Open a support ticket. |
+
+### Tunnel statuses
+
+Within a Site-to-Site VPN connection, the connection's tunnel also has its own status.
+
+This section explains the different statuses possible for a connection's tunnel, and how to understand them.
+
+| **Status**             | **Description**                         | 
+|------------------------|-----------------------------------------|
+| **Up**                 | The VPN tunnel is active and ready to route traffic.  |
+| **Down**               | The VPN tunnel is not able to route traffic. The customer gateway is probably not configured correctly.  |
+
+### BGP session statuses
+
+A Site-to-Site VPN connection has at least one associated **BGP session**.
+
+A BGP session is a protocol-based connection between the customer gateway and a VPN gateway, where the two gateways automatically exchange routing information to facilitate communication across the VPN tunnel. 
+
+A connection has one BGP session for each attached routing policy, up to a maximum of two - one for IPv4 and one for IPv6.
+
+This section explains the different statuses possible for a BGP session, and how to understand them.
+
+| **Status**             | **Description**                         | 
+|------------------------|-----------------------------------------|
+| **Up**                 | The BGP session between the VPN gateway and the customer gateway is running as normal. |
+| **Down**               | The BGP session between the VPN gateway and the customer gateway is not successfuly running. The customer gateway is probably not configured correctly.  |
+| **Disabled**           | No routing policy for the corresponding IP type is attached to the VPN connection, so no BGP session can be launched. |
diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx
@@ -1,7 +1,6 @@
 ---
 title: Understanding Site-to-Site VPN
 description: Dive deeper into understanding Scaleway's Site-to-Site VPN offer, with technical diagrams, explanations and more.
-noindex: true
 tags: vpn gateway customer infrastructure connection encryption
 dates:
   validation: 2025-06-03
@@ -15,7 +14,7 @@ import image5 from './assets/scaleway-vpn-tunnel-detail.webp'
 
 
 <Message type="note">
-Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn).
+Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
 </Message>
 
 ## Site-to-Site VPN overview
@@ -62,6 +61,8 @@ The rest of the properties **must** correspond to the real properties of the cor
 
 <Message type="note">
 The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
+
+ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`.
 </Message>
 
 ### Routing policy
@@ -161,7 +162,7 @@ Use [Network ACLs](/vpc/reference-content/understanding-nacls/) if you want to l
 
 ## Site-to-Site VPN limitations
 
-- Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the [Scaleway API](https://www.scaleway.com/en/betas/#site-to-site-vpn)
+- Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/).
 - You cannot use Site-to-Site VPN to connect two Scaleway VPCs
 - You cannot modify the Private Network that a VPN is connected to after creation
 - You must use the auto-generated pre-shared key (PSK) for a VPN connection: you cannot currently define your own PSK
