From ab40117365e61e39974138ec24fd614a68683f42 Mon Sep 17 00:00:00 2001 From: Rowena Date: Fri, 21 Feb 2025 18:02:25 +0100 Subject: [PATCH 1/5] fix(vpc): started second troubleshooting --- .../troubleshooting/cant-access-vpc-pn.mdx | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 pages/vpc/troubleshooting/cant-access-vpc-pn.mdx diff --git a/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx b/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx new file mode 100644 index 0000000000..123f557568 --- /dev/null +++ b/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx @@ -0,0 +1,62 @@ +--- +meta: + title: I'm experiencing connectivity issues with my VPC or Private Network + description: Troubleshoot access and connectivity issues with your Scaleway VPC or Private Network. Learn how to resolve common problems and get your network up and running smoothly. +content: + h1: I'm experiencing connectivity issues with my VPC or Private Network + paragraph: Troubleshoot access and connectivity issues with your Scaleway VPC or Private Network. Learn how to resolve common problems and get your network up and running smoothly. +tags: vpc private-network access connectivity ssh ip +dates: + validation: 2025-02-21 + posted: 2025-02-21 +categories: + - network +--- + +You may experience loss of connectivity between resources in a VPC or Private Network, or problems accessing your private resources via SSH. + +This page helps you solve potential errors that related to VPC access and reachability. + +## I can't connect to a resource attached to a Private Network via SSH + +### SSH bastion connection problems + +You may be attempting to connect to a Scaleway Instance via [SSH bastion](/public-gateways/how-to/use-ssh-bastion/), and experience errors such as: + +- `UNREACHABLE: Failed to connect to the host via ssh: Connection closed by remote host` +- `Connect failed: No address associated with hostname: Connection closed by UNKNOWN port 123` + +### SSH bastion connection solutions + +**Try using an IP address instead of a hostname**. An error such as `No address associated with hostname` suggests a problem with DNS resolution of the resource hostname. Try using the resource's private IP address in your connection command instead of its hostname. + +**Check the validity of your Private Network and/or resource names**. Issues can be caused when: + - Names contain dots. Replace dots with dashes (`my.instance` —> `my-instance`). We generally recommend avoiding using dots in your resource names to avoid issues. + - Private Network names share the same name as a TLD. See our [dedicated troubleshooting docment](/vpc/troubleshooting/pn-name/#tld-naming-problem-with-private-networks). + - A [legacy Public Gateway](/public-gateways/concepts/#legacy-gateway) is attached to a Private Network, and its DNS is [taking priority over that of the Private Network](/public-gateways/concepts/#legacy-gateway). Ensure you are using correct hostnames in accordance with your Public Gateway in this case. + +**Ensure your SSH keys are up to date**. If you add new SSH keys to your Project credentials after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys. [Follow instructions in the dedicated documentation](/public-gateways/how-to/use-ssh-bastion/#how-to-reimport-ssh-keys). + +**Ensure your Instance is not overloaded**. An error such as `Connection closed by UNKNOWN port 123` could be linked to excessive traffic on this port of your Instance, an overload of the Instance's resources (CPU, RAM etc.), or an excessive number of simultaneous connections. + +Check the load on the Instance, and try again. + +## SSH connection problems (non-bastion) + +You may be attempting to connect to a Scaleway Instance that is attached to a Private Network, via SSH using its public IP address, and experiencing timeout errors. + +### SSH connection solutions (non-bastion) + +**Use SSH bastion**. If the Instance is attached to a Private Network on which there is also a Public Gateway advertising the default route, it is normal that you cannot connect using the public IP. Use SSH bastion instead: see our [dedicated troubleshooting page](/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway/) + +## Resources cannot communicate in a VPC + + +- Check status + +- MAC address issue +loss of connectivity between resources in the same VPC. Reason: L’adresse MAC a été dupliqué entre votre proxmox de par1 et de par2. Basculer une même MAC d'une zone à l'autre n'est pas compatible avec le routage du VPC. Nous vous suggérons très fortement de ne plus basculer cette VM, car cela risque d’engendrer à nouveau les désagréments rencontrés. Nous vous recommandons de changer la MAC de votre VM, puis d'envoyer une gratuitous ARP dans le PN (avec arping par exemple), de manière à ce que les autres VMs soient à jour avec la nouvelle MAC. + +- Different VPCs/Projects cannot communicate (no peering) + +- DNS? \ No newline at end of file From 433b731864e185f16a17f37b34675fe5fc6ee3cd Mon Sep 17 00:00:00 2001 From: Rowena Date: Mon, 24 Feb 2025 14:52:39 +0100 Subject: [PATCH 2/5] fix(vpc): add more troubleshooting --- .../troubleshooting/cant-access-vpc-pn.mdx | 55 +++++++++---------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx b/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx index 123f557568..19c196ee53 100644 --- a/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx +++ b/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx @@ -1,9 +1,9 @@ --- meta: - title: I'm experiencing connectivity issues with my VPC or Private Network + title: I'm experiencing connectivity or routing issues with my VPC or Private Network description: Troubleshoot access and connectivity issues with your Scaleway VPC or Private Network. Learn how to resolve common problems and get your network up and running smoothly. content: - h1: I'm experiencing connectivity issues with my VPC or Private Network + h1: I'm experiencing connectivity or routing issues with my VPC or Private Network paragraph: Troubleshoot access and connectivity issues with your Scaleway VPC or Private Network. Learn how to resolve common problems and get your network up and running smoothly. tags: vpc private-network access connectivity ssh ip dates: @@ -13,50 +13,49 @@ categories: - network --- -You may experience loss of connectivity between resources in a VPC or Private Network, or problems accessing your private resources via SSH. +You may have problems with connectivity between resources in a VPC or Private Network, or issues with routing packets. -This page helps you solve potential errors that related to VPC access and reachability. +This page helps you solve potential errors that related to VPC connectivity and routing. -## I can't connect to a resource attached to a Private Network via SSH +## My Managed Database cannot communicate with other resources in my VPC -### SSH bastion connection problems +This is normal, as VPC routing is not yet supported by Managed Databases for PostgreSQL or Managed Databases for Redis. Adding support for Managed Databases is planned for the future. -You may be attempting to connect to a Scaleway Instance via [SSH bastion](/public-gateways/how-to/use-ssh-bastion/), and experience errors such as: +## I cannot deactivate routing on my VPC -- `UNREACHABLE: Failed to connect to the host via ssh: Connection closed by remote host` -- `Connect failed: No address associated with hostname: Connection closed by UNKNOWN port 123` +This is standard behavior: -### SSH bastion connection solutions +- Once you have activated routing on a VPC, you cannot deactivate it +- You do not have the option to create a new VPC where routing is deactivated -**Try using an IP address instead of a hostname**. An error such as `No address associated with hostname` suggests a problem with DNS resolution of the resource hostname. Try using the resource's private IP address in your connection command instead of its hostname. +## I cannot route between VPCs/Private Networks in different regions, or different Scaleway Projects. -**Check the validity of your Private Network and/or resource names**. Issues can be caused when: - - Names contain dots. Replace dots with dashes (`my.instance` —> `my-instance`). We generally recommend avoiding using dots in your resource names to avoid issues. - - Private Network names share the same name as a TLD. See our [dedicated troubleshooting docment](/vpc/troubleshooting/pn-name/#tld-naming-problem-with-private-networks). - - A [legacy Public Gateway](/public-gateways/concepts/#legacy-gateway) is attached to a Private Network, and its DNS is [taking priority over that of the Private Network](/public-gateways/concepts/#legacy-gateway). Ensure you are using correct hostnames in accordance with your Public Gateway in this case. +Currently, routing is only supported between Private Networks in a single VPC. We do not support: -**Ensure your SSH keys are up to date**. If you add new SSH keys to your Project credentials after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys. [Follow instructions in the dedicated documentation](/public-gateways/how-to/use-ssh-bastion/#how-to-reimport-ssh-keys). +- Routing between two different VPCs +- Routing between Private Networks in different Scaleway Projects, or different regions -**Ensure your Instance is not overloaded**. An error such as `Connection closed by UNKNOWN port 123` could be linked to excessive traffic on this port of your Instance, an overload of the Instance's resources (CPU, RAM etc.), or an excessive number of simultaneous connections. +Watch out for our VPC Peering solution, planned for the future, which will enable communication between different VPCs. -Check the load on the Instance, and try again. +## I am experiencing issues with Elastic Metal server connectivity to a Private Network -## SSH connection problems (non-bastion) +Note that some manual configuration of the network interface is required when attaching Elastic Metal servers to Private Networks. Follow the steps in our [dedicated documentation](/elastic-metal/how-to/use-private-networks/#how-to-configure-the-network-interface-on-your-elastic-metal-server-for-private-networks). -You may be attempting to connect to a Scaleway Instance that is attached to a Private Network, via SSH using its public IP address, and experiencing timeout errors. +## I am experiencing issues with VM (hosted on Elastic Metal server) connectivity to a Private Network -### SSH connection solutions (non-bastion) +Ensure you have correctly attached the VM to the Private Network by specifying the MAC address, and carried out necessary configuration of the network interface for your VM, e.g. [via the Proxmox interface](/tutorials/setup-elastic-metal-proxmox-cluster-with-private-networks/#configuring-the-private-network). -**Use SSH bastion**. If the Instance is attached to a Private Network on which there is also a Public Gateway advertising the default route, it is normal that you cannot connect using the public IP. Use SSH bastion instead: see our [dedicated troubleshooting page](/public-gateways/troubleshooting/cant-connect-to-instance-with-pn-gateway/) + +Using the same MAC address on VMs in different AZs, or switching such MAC addresses between AZs, is not compatible with VPC routing. Ensure each VM has a unique MAC address. + -## Resources cannot communicate in a VPC +## My resources cannot communicate via their hostnames +See our dedicated documentation on [resolving private DNS errors](/vpc/troubleshooting/private-dns-dhcp-not-working/). -- Check status +## I am experiencing other connectivity issues + +Check the [Scaleway Status page](https://status.scaleway.com/), to see whether there are any ongoing incidents which could affect the connectivity or network access of your resources. -- MAC address issue -loss of connectivity between resources in the same VPC. Reason: L’adresse MAC a été dupliqué entre votre proxmox de par1 et de par2. Basculer une même MAC d'une zone à l'autre n'est pas compatible avec le routage du VPC. Nous vous suggérons très fortement de ne plus basculer cette VM, car cela risque d’engendrer à nouveau les désagréments rencontrés. Nous vous recommandons de changer la MAC de votre VM, puis d'envoyer une gratuitous ARP dans le PN (avec arping par exemple), de manière à ce que les autres VMs soient à jour avec la nouvelle MAC. -- Different VPCs/Projects cannot communicate (no peering) -- DNS? \ No newline at end of file From aba0d216b02716fe1e4d307a0e0440ca8fce4547 Mon Sep 17 00:00:00 2001 From: Rowena Date: Mon, 24 Feb 2025 14:58:35 +0100 Subject: [PATCH 3/5] fix(vpc): added to menu --- menu/navigation.json | 4 ++++ .../reference-content/public-connectivity-best-practices.mdx | 2 +- ...cess-vpc-pn.mdx => vpc-pn-routing-connectivity-issues.mdx} | 0 3 files changed, 5 insertions(+), 1 deletion(-) rename pages/vpc/troubleshooting/{cant-access-vpc-pn.mdx => vpc-pn-routing-connectivity-issues.mdx} (100%) diff --git a/menu/navigation.json b/menu/navigation.json index 02942308e9..7fe9de1e6d 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -3211,6 +3211,10 @@ { "label": "I can't delete my VPC or Private Network", "slug": "cant-delete-vpc-pn" + }, + { + "label": "I'm experiencing connectivity or routing issues", + "slug": "vpc-pn-routing-connectivity-issues" } ], "label": "Troubleshooting", diff --git a/pages/ipam/reference-content/public-connectivity-best-practices.mdx b/pages/ipam/reference-content/public-connectivity-best-practices.mdx index b15bffe9e3..61b1ce81c4 100644 --- a/pages/ipam/reference-content/public-connectivity-best-practices.mdx +++ b/pages/ipam/reference-content/public-connectivity-best-practices.mdx @@ -49,7 +49,7 @@ In the future, look out for even more improvements to our flexible IP offering, We strongly recommend that you disable public connectivity on all of your Scaleway resources, unless it is absolutely required. Attaching resources to Private Networks, and limiting their communication to these networks brings the following advantages: - **Minimized attack surface**: Without a public IP address, the resource is not exposed directly to the internet, decreasing the risk of DDoS or brute force attacks, or unauthorized access. -- **Reduced cost**: Public (flexible) IP addresses are [billed](https://www.scaleway.com/en/pricing/), whereas Private Networks and the private IP addresses that attach resources to Private Networks are free of charge (except for Elastic Metal servers). +- **Reduced cost**: Public (flexible) IP addresses are [billed](https://www.scaleway.com/en/pricing/), whereas Private Networks and the private IP addresses that attach resources to Private Networks are free of charge (except for Elastic Metal servers and Apple silicon). - **Improved latency**: Communication between resources over a Private Network is generally faster, as it does not need to be routed through the public internet. Depending on the resource type, public connectivity can be disabled by: diff --git a/pages/vpc/troubleshooting/cant-access-vpc-pn.mdx b/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx similarity index 100% rename from pages/vpc/troubleshooting/cant-access-vpc-pn.mdx rename to pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx From d6e4333818f2451b72103fdc68c59f2ddb237287 Mon Sep 17 00:00:00 2001 From: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:43:18 +0100 Subject: [PATCH 4/5] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Benedikt Rollik Co-authored-by: Néda <87707325+nerda-codes@users.noreply.github.com> --- menu/navigation.json | 2 +- .../troubleshooting/vpc-pn-routing-connectivity-issues.mdx | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/menu/navigation.json b/menu/navigation.json index 7fe9de1e6d..8e33995463 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -3213,7 +3213,7 @@ "slug": "cant-delete-vpc-pn" }, { - "label": "I'm experiencing connectivity or routing issues", + "label": "I am experiencing connectivity or routing issues", "slug": "vpc-pn-routing-connectivity-issues" } ], diff --git a/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx b/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx index 19c196ee53..391285edb1 100644 --- a/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx +++ b/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx @@ -1,9 +1,9 @@ --- meta: - title: I'm experiencing connectivity or routing issues with my VPC or Private Network + title: I am experiencing connectivity or routing issues with my VPC or Private Network description: Troubleshoot access and connectivity issues with your Scaleway VPC or Private Network. Learn how to resolve common problems and get your network up and running smoothly. content: - h1: I'm experiencing connectivity or routing issues with my VPC or Private Network + h1: I am experiencing connectivity or routing issues with my VPC or Private Network paragraph: Troubleshoot access and connectivity issues with your Scaleway VPC or Private Network. Learn how to resolve common problems and get your network up and running smoothly. tags: vpc private-network access connectivity ssh ip dates: @@ -15,7 +15,7 @@ categories: You may have problems with connectivity between resources in a VPC or Private Network, or issues with routing packets. -This page helps you solve potential errors that related to VPC connectivity and routing. +This page helps you solve potential errors that are related to VPC connectivity and routing. ## My Managed Database cannot communicate with other resources in my VPC From f60c3c1badb25f2bbd0b9f6535a6425cccf0ec3b Mon Sep 17 00:00:00 2001 From: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> Date: Tue, 25 Feb 2025 13:37:38 +0100 Subject: [PATCH 5/5] Update pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- .../vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx b/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx index 391285edb1..c7e1e2a7ad 100644 --- a/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx +++ b/pages/vpc/troubleshooting/vpc-pn-routing-connectivity-issues.mdx @@ -43,7 +43,7 @@ Note that some manual configuration of the network interface is required when at ## I am experiencing issues with VM (hosted on Elastic Metal server) connectivity to a Private Network -Ensure you have correctly attached the VM to the Private Network by specifying the MAC address, and carried out necessary configuration of the network interface for your VM, e.g. [via the Proxmox interface](/tutorials/setup-elastic-metal-proxmox-cluster-with-private-networks/#configuring-the-private-network). +Ensure you have correctly attached the VM to the Private Network by specifying the MAC address, and carried out the necessary configuration of the network interface for your VM, e.g. [via the Proxmox interface](/tutorials/setup-elastic-metal-proxmox-cluster-with-private-networks/#configuring-the-private-network). Using the same MAC address on VMs in different AZs, or switching such MAC addresses between AZs, is not compatible with VPC routing. Ensure each VM has a unique MAC address.