From 9bf2c0aa82bc1a13cdd3443a2bf4611d715b46f9 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Tue, 29 Jul 2025 16:00:27 +0200 Subject: [PATCH 1/7] docs(srv): add srv x vpc ref content --- .../containers-private-networks.mdx | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 pages/serverless-containers/reference-content/containers-private-networks.mdx diff --git a/pages/serverless-containers/reference-content/containers-private-networks.mdx b/pages/serverless-containers/reference-content/containers-private-networks.mdx new file mode 100644 index 0000000000..d403c090b2 --- /dev/null +++ b/pages/serverless-containers/reference-content/containers-private-networks.mdx @@ -0,0 +1,54 @@ +--- +title: Serverless Containers and Private Networks integration +description: This page contains details on how Serverless Containers interacts with Virtual Private Cloud and Private Networks +dates: + - posted: 2025-07-29 + - validation: 2025-07-29 +--- + +## Description + +Attach a Serverless Function or Container to a Private Network. + +### Availability + +- Binding is done per Function or Container, not per namespace: multiple functions/containers in the same namespace can be attached to different PNs +- Works for both sandboxes (v1, v2) +- Feature is free of charge + +### Features +Container to PN resources (egress) +Currently, no ingress (PN resources to container) +but container still available through public traffic + +- All internal traffic (to PN) will be routed through the private interface, but external traffic (Internet) will be through the public (already existing) interface + +- All DNS resolution is done through PN (using DNS server `169.254.169.254` (=VPC dns server)). This allows to resolve `*.internal` records + + + + +## Users limitations + +### API + +- A Function/Container can **only** be attached to a single PN +- extra quota for VPC via Containers (Container Unique Private Networks) 5/10 +- UPDATE QUOTAS DOC + + + +### Infrastructure + +- **VPC routing** (custom routes) doesn't work yet + +- Each Function/Container instance will have a unique IP in the PN, assigned by Scaleway. this implies: + - it won't be possible for a user to **preemptively book an IP** in IPAM, and reference it in the attachment + - this can result in a **large number of IPs** being used in the PN. It might be confusing for clients as a single resource (a given Function/Container) with multiple instances will have multiple IPs + +- **Cold-starts will be slightly longer** due to the additional steps required to attach the node to the PN and book an IP. + +Also, as of today, only ingress is implemented (phase 1: call a resource in the PN from a Function/Container). + +Egress (phase 2: calling a Function/Container from a resource in the PN) will be done [later](../#phases). + From ff60041322d04e33f180e14f8951aad3eef09511 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 4 Aug 2025 12:18:26 +0200 Subject: [PATCH 2/7] docs(srv): update serverless x VPC doc --- menu/navigation.json | 4 ++ .../organization-quotas.mdx | 12 ++++ .../containers-limitations.mdx | 16 +---- .../containers-private-networks.mdx | 58 ++++++------------- 4 files changed, 36 insertions(+), 54 deletions(-) diff --git a/menu/navigation.json b/menu/navigation.json index 18d3b13025..66b63605ce 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -4509,6 +4509,10 @@ "label": "Serverless overview", "slug": "serverless-overview" }, + { + "label": "Containers and Private Networks integration", + "slug": "containers-private-networks" + }, { "label": "Containers limitations", "slug": "containers-limitations" diff --git a/pages/organizations-and-projects/additional-content/organization-quotas.mdx b/pages/organizations-and-projects/additional-content/organization-quotas.mdx index cf25093bdd..1014a5dcdf 100644 --- a/pages/organizations-and-projects/additional-content/organization-quotas.mdx +++ b/pages/organizations-and-projects/additional-content/organization-quotas.mdx @@ -333,6 +333,12 @@ After you order a server from the list of Elastic Metal servers compatible with The maximum RAM quota is obtained by multiplying the maximum scale factor of your container by the selected RAM quantity. For example, if you choose to create a container with 512 MB of memory and a maximum scale of 20, you will have 10 GB RAM. +#### Private Networks (VPC) quotas + +| | [Payment method validated](/billing/how-to/add-payment-method/#how-to-add-a-credit-card) | Payment method and [identity validated](/account/how-to/verify-identity/) | +|-----------------------------------|:----------------------------------------------------------------------------------------------------------: |:------------------------------------------------------------------------------------:| +| Maximum attached Private Networks | 5 | 10 | + ## Serverless Functions @@ -354,6 +360,12 @@ For example, if you choose to create a container with 512 MB of memory and a max The maximum RAM quota is obtained by multiplying the maximum scale factor of your container by the selected RAM quantity. For example, if you choose to create a container with 512 MB of memory and a max scale of 20, you will have 10 GB RAM. +#### Private Networks (VPC) quotas + +| | [Payment method validated](/billing/how-to/add-payment-method/#how-to-add-a-credit-card) | Payment method and [identity validated](/account/how-to/verify-identity/) | +|-----------------------------------|:----------------------------------------------------------------------------------------------------------: |:------------------------------------------------------------------------------------:| +| Maximum attached Private Networks | 5 | 10 | + ## Serverless Jobs diff --git a/pages/serverless-containers/reference-content/containers-limitations.mdx b/pages/serverless-containers/reference-content/containers-limitations.mdx index 3981c8c547..aba8dcd3a1 100644 --- a/pages/serverless-containers/reference-content/containers-limitations.mdx +++ b/pages/serverless-containers/reference-content/containers-limitations.mdx @@ -84,21 +84,7 @@ Do not have your containers listen on these ports, as they are used by our servi ## Private Networks and Virtual Private Cloud (VPC) -### Compatibility - -Scaleway Serverless Containers support [Virtual Private Cloud (VPC)](/vpc/) and can be attached to a Private Network, which allows you to securely connect your resources in an isolated environment. Refer to the [dedicated documentation](/serverless-containers/how-to/use-private-networks/) for more information. - -### Usage - -- Containers in the same namespace can be attached to different Private Networks. - -- Attaching Serverless Containers to Private Networks does not entail additional cost. - -### Limitations - -- VPC works with Namespaces that have **VPC support enabled**. VPC support can only be enabled at [namespace creation](/serverless-containers/how-to/create-manage-delete-containers-namespace/#creating-a-serverless-containers-namespace), and cannot be updated afterward. - -- Only one Private Network can be attached to a container. +Refer to the [dedicated documentation](/serverless-containers/reference-content/containers-private-networks/) on VPC and Serverless Containers integration for more information. ## Default values for CPU and memory limits diff --git a/pages/serverless-containers/reference-content/containers-private-networks.mdx b/pages/serverless-containers/reference-content/containers-private-networks.mdx index d403c090b2..eb72bb33d6 100644 --- a/pages/serverless-containers/reference-content/containers-private-networks.mdx +++ b/pages/serverless-containers/reference-content/containers-private-networks.mdx @@ -6,49 +6,29 @@ dates: - validation: 2025-07-29 --- -## Description +## Compatibility -Attach a Serverless Function or Container to a Private Network. +Scaleway Serverless Containers support [Virtual Private Cloud (VPC)](/vpc/) and can be attached to a Private Network, which allows you to securely connect your resources in an isolated environment. Refer to the [dedicated documentation](/serverless-containers/how-to/use-private-networks/) for more information. -### Availability +## Features -- Binding is done per Function or Container, not per namespace: multiple functions/containers in the same namespace can be attached to different PNs -- Works for both sandboxes (v1, v2) -- Feature is free of charge +- Containers in the same namespace can be attached to different Private Networks. +- Both [sandbox](/serverless-containers/concepts/#sandbox) environments (`V1` and `V2`) are compatible with Private Networks. +- Attaching Serverless Containers to Private Networks **does not entail additional cost**. +- **Egress** (outbound private traffic from a container to resources within the same Private Network) will be routed through the private interface, but external traffic (from the Internet) will be through the public endpoint of the container. +- All DNS resolution is done through the Private Network (using the VPC DNS server `169.254.169.254`), which allows to resolve `*.internal` records. -### Features -Container to PN resources (egress) -Currently, no ingress (PN resources to container) -but container still available through public traffic +## Quotas -- All internal traffic (to PN) will be routed through the private interface, but external traffic (Internet) will be through the public (already existing) interface +Refer to the [dedicated documentation](/organizations-and-projects/additional-content/organization-quotas/) for more information on Private Networks quotas for Serverless Containers. -- All DNS resolution is done through PN (using DNS server `169.254.169.254` (=VPC dns server)). This allows to resolve `*.internal` records - - - - -## Users limitations - -### API - -- A Function/Container can **only** be attached to a single PN -- extra quota for VPC via Containers (Container Unique Private Networks) 5/10 -- UPDATE QUOTAS DOC - - - -### Infrastructure - -- **VPC routing** (custom routes) doesn't work yet - -- Each Function/Container instance will have a unique IP in the PN, assigned by Scaleway. this implies: - - it won't be possible for a user to **preemptively book an IP** in IPAM, and reference it in the attachment - - this can result in a **large number of IPs** being used in the PN. It might be confusing for clients as a single resource (a given Function/Container) with multiple instances will have multiple IPs - -- **Cold-starts will be slightly longer** due to the additional steps required to attach the node to the PN and book an IP. - -Also, as of today, only ingress is implemented (phase 1: call a resource in the PN from a Function/Container). - -Egress (phase 2: calling a Function/Container from a resource in the PN) will be done [later](../#phases). +## Limitations +- VPC works with Namespaces that have **VPC support enabled**. VPC support can only be enabled at [namespace creation](/serverless-containers/how-to/create-manage-delete-containers-namespace/#creating-a-serverless-containers-namespace), and cannot be updated afterward. +- Only one Private Network can be attached to a container. +- **VPC routing** (custom routes and cross-PN automatic routing) is not supported yet. +- **Ingress** (inbound private traffic from resources to a container within the same Private Network) is not supported yet. +- Each [container instance](/serverless-containers/concepts/#instance) has a unique IP automatically assigned by Scaleway in the Private Network. This implies the following: + - Users **cannot preemptively book an IP** with [IPAM](/ipam/), and reference it in the attachment. + - A single Serverless Container can have a **large number of IPs** being used within the Private Network, depending on the number of concurrent instances. + - **Cold-starts are slightly longer** due to the additional steps required to attach the node to the Private Network and book an IP. From 6af1a582f4fbda1dfe6c556208ce0576403c16cb Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 4 Aug 2025 14:10:18 +0200 Subject: [PATCH 3/7] Update pages/serverless-containers/reference-content/containers-private-networks.mdx Co-authored-by: Thomas TACQUET --- .../reference-content/containers-private-networks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/serverless-containers/reference-content/containers-private-networks.mdx b/pages/serverless-containers/reference-content/containers-private-networks.mdx index eb72bb33d6..ff9f486588 100644 --- a/pages/serverless-containers/reference-content/containers-private-networks.mdx +++ b/pages/serverless-containers/reference-content/containers-private-networks.mdx @@ -25,7 +25,7 @@ Refer to the [dedicated documentation](/organizations-and-projects/additional-co ## Limitations - VPC works with Namespaces that have **VPC support enabled**. VPC support can only be enabled at [namespace creation](/serverless-containers/how-to/create-manage-delete-containers-namespace/#creating-a-serverless-containers-namespace), and cannot be updated afterward. -- Only one Private Network can be attached to a container. +- Only one Private Network can be attached to a Serverless Container. - **VPC routing** (custom routes and cross-PN automatic routing) is not supported yet. - **Ingress** (inbound private traffic from resources to a container within the same Private Network) is not supported yet. - Each [container instance](/serverless-containers/concepts/#instance) has a unique IP automatically assigned by Scaleway in the Private Network. This implies the following: From 8b3c028241716472d2b938ebfeda7fc99e87f283 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 4 Aug 2025 14:22:13 +0200 Subject: [PATCH 4/7] docs(srv): update serverless x VPC doc --- pages/serverless-containers/how-to/use-private-networks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/serverless-containers/how-to/use-private-networks.mdx b/pages/serverless-containers/how-to/use-private-networks.mdx index 3a5b7b0747..afac06de23 100644 --- a/pages/serverless-containers/how-to/use-private-networks.mdx +++ b/pages/serverless-containers/how-to/use-private-networks.mdx @@ -91,4 +91,4 @@ This must be carried out from the VPC section of the console. Follow the procedu ## Private Networks and containers limitations -For more information on limitations when using Private Networks with Serverless Containers, refer to the [dedicated documentation](/serverless-containers/reference-content/containers-limitations/#private-networks-and-virtual-private-cloud-vpc). \ No newline at end of file +For more information on limitations when using Private Networks with Serverless Containers, refer to the [dedicated documentation](/serverless-containers/reference-content/containers-private-networks). \ No newline at end of file From 58a44c7b5c9ff99ab789d9bff2a8e3b5d60ccec8 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 4 Aug 2025 14:30:07 +0200 Subject: [PATCH 5/7] docs(srv): add faas --- .../how-to/use-private-networks.mdx | 2 +- .../functions-limitations.mdx | 16 +-------- .../functions-private-networks.mdx | 34 +++++++++++++++++++ 3 files changed, 36 insertions(+), 16 deletions(-) create mode 100644 pages/serverless-functions/reference-content/functions-private-networks.mdx diff --git a/pages/serverless-functions/how-to/use-private-networks.mdx b/pages/serverless-functions/how-to/use-private-networks.mdx index 7e20dac168..6988d5ad99 100644 --- a/pages/serverless-functions/how-to/use-private-networks.mdx +++ b/pages/serverless-functions/how-to/use-private-networks.mdx @@ -91,4 +91,4 @@ This must be carried out from the VPC section of the console. Follow the procedu ## Private Networks and functions limitations -For more information on limitations when using Private Networks with Serverless Functions, refer to the [dedicated documentation](/serverless-functions/reference-content/functions-limitations/#private-networks-and-virtual-private-cloud-vpc). \ No newline at end of file +For more information on limitations when using Private Networks with Serverless Functions, refer to the [dedicated documentation](/serverless-functions/reference-content/functions-private-networks/). \ No newline at end of file diff --git a/pages/serverless-functions/reference-content/functions-limitations.mdx b/pages/serverless-functions/reference-content/functions-limitations.mdx index 51473464a4..2ad5c61544 100644 --- a/pages/serverless-functions/reference-content/functions-limitations.mdx +++ b/pages/serverless-functions/reference-content/functions-limitations.mdx @@ -66,21 +66,7 @@ Due to potential abuse (spam), no outbound traffic is allowed through following ## Private Networks and Virtual Private Cloud (VPC) -### Usage - -- Functions in the same namespace can be attached to different Private Networks. - -- Attaching Serverless Functions to Private Networks does not entail additional cost. - -### Compatibility - -Scaleway Serverless Functions support [Virtual Private Cloud (VPC)](/vpc/) and can be attached to a Private Network, which allows you to securely connect your resources in an isolated environment. Refer to the [dedicated documentation](/serverless-functions/how-to/use-private-networks/) for more information. - -### Limitations - -- VPC works with Namespaces that have **VPC support enabled**. VPC support can only be enabled at [namespace creation](/serverless-functions/how-to/create-manage-delete-functions-namespace/#creating-a-serverless-functions-namespace), and cannot be updated afterward. - -- Only one Private Network can be attached to a function. +Refer to the [dedicated documentation](/serverless-functions/reference-content/functions-private-networks/) on VPC and Serverless Functions integration for more information. ## Versioning and rollback diff --git a/pages/serverless-functions/reference-content/functions-private-networks.mdx b/pages/serverless-functions/reference-content/functions-private-networks.mdx new file mode 100644 index 0000000000..d2db4b538e --- /dev/null +++ b/pages/serverless-functions/reference-content/functions-private-networks.mdx @@ -0,0 +1,34 @@ +--- +title: Serverless Functions and Private Networks integration +description: This page contains details on how Serverless Functions interacts with Virtual Private Cloud and Private Networks +dates: + - posted: 2025-08-04 + - validation: 2025-08-04 +--- + +## Compatibility + +Scaleway Serverless Functions support [Virtual Private Cloud (VPC)](/vpc/) and can be attached to a Private Network, which allows you to securely connect your resources in an isolated environment. Refer to the [dedicated documentation](/serverless-functions/how-to/use-private-networks/) for more information. + +## Features + +- Functions in the same namespace can be attached to different Private Networks. +- Both [sandbox](/serverless-functions/concepts/#sandbox) environments (`V1` and `V2`) are compatible with Private Networks. +- Attaching Serverless Functions to Private Networks **does not entail additional cost**. +- **Egress** (outbound private traffic from a function to resources within the same Private Network) will be routed through the private interface, but external traffic (from the Internet) will be through the public endpoint of the function. +- All DNS resolution is done through the Private Network (using the VPC DNS server `169.254.169.254`), which allows to resolve `*.internal` records. + +## Quotas + +Refer to the [dedicated documentation](/organizations-and-projects/additional-content/organization-quotas/) for more information on Private Networks quotas for Serverless Functions. + +## Limitations + +- VPC works with Namespaces that have **VPC support enabled**. VPC support can only be enabled at [namespace creation](/serverless-functions/how-to/create-manage-delete-functions-namespace/#creating-a-serverless-functions-namespace), and cannot be updated afterward. +- Only one Private Network can be attached to a Serverless Container. +- **VPC routing** (custom routes and cross-PN automatic routing) is not supported yet. +- **Ingress** (inbound private traffic from resources to a function within the same Private Network) is not supported yet. +- Each [function instance](/serverless-functions/concepts/#instance) has a unique IP automatically assigned by Scaleway in the Private Network. This implies the following: + - Users **cannot preemptively book an IP** with [IPAM](/ipam/), and reference it in the attachment. + - A single Serverless Container can have a **large number of IPs** being used within the Private Network, depending on the number of concurrent instances. + - **Cold-starts are slightly longer** due to the additional steps required to attach the node to the Private Network and book an IP. From d6f20dc0ec27bd71ce0154526e7e1c51f325b6bf Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 4 Aug 2025 14:31:41 +0200 Subject: [PATCH 6/7] docs(srv): add faas --- menu/navigation.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/menu/navigation.json b/menu/navigation.json index 66b63605ce..24da2abec4 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -4677,6 +4677,10 @@ "label": "Functions runtimes", "slug": "functions-runtimes" }, + { + "label": "Functions and Private Networks integration", + "slug": "functions-private-networks" + }, { "label": "Functions limitations", "slug": "functions-limitations" From af3f0e4e834d98e9462bbb02d9eff52c9850f912 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 4 Aug 2025 16:35:10 +0200 Subject: [PATCH 7/7] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: NĂ©da <87707325+nerda-codes@users.noreply.github.com> --- .../reference-content/containers-private-networks.mdx | 8 ++++---- .../reference-content/functions-private-networks.mdx | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pages/serverless-containers/reference-content/containers-private-networks.mdx b/pages/serverless-containers/reference-content/containers-private-networks.mdx index ff9f486588..8259580c08 100644 --- a/pages/serverless-containers/reference-content/containers-private-networks.mdx +++ b/pages/serverless-containers/reference-content/containers-private-networks.mdx @@ -2,8 +2,8 @@ title: Serverless Containers and Private Networks integration description: This page contains details on how Serverless Containers interacts with Virtual Private Cloud and Private Networks dates: - - posted: 2025-07-29 - - validation: 2025-07-29 + posted: 2025-07-29 + validation: 2025-07-29 --- ## Compatibility @@ -14,8 +14,8 @@ Scaleway Serverless Containers support [Virtual Private Cloud (VPC)](/vpc/) and - Containers in the same namespace can be attached to different Private Networks. - Both [sandbox](/serverless-containers/concepts/#sandbox) environments (`V1` and `V2`) are compatible with Private Networks. -- Attaching Serverless Containers to Private Networks **does not entail additional cost**. -- **Egress** (outbound private traffic from a container to resources within the same Private Network) will be routed through the private interface, but external traffic (from the Internet) will be through the public endpoint of the container. +- Attaching Serverless Containers to Private Networks **does not incur additional cost**. +- **Egress** (outbound private traffic from a container to resources within the same Private Network) will be routed through the private interface, but external traffic (from the Internet) will be routed through the public endpoint of the container. - All DNS resolution is done through the Private Network (using the VPC DNS server `169.254.169.254`), which allows to resolve `*.internal` records. ## Quotas diff --git a/pages/serverless-functions/reference-content/functions-private-networks.mdx b/pages/serverless-functions/reference-content/functions-private-networks.mdx index d2db4b538e..5a81b550f2 100644 --- a/pages/serverless-functions/reference-content/functions-private-networks.mdx +++ b/pages/serverless-functions/reference-content/functions-private-networks.mdx @@ -14,8 +14,8 @@ Scaleway Serverless Functions support [Virtual Private Cloud (VPC)](/vpc/) and c - Functions in the same namespace can be attached to different Private Networks. - Both [sandbox](/serverless-functions/concepts/#sandbox) environments (`V1` and `V2`) are compatible with Private Networks. -- Attaching Serverless Functions to Private Networks **does not entail additional cost**. -- **Egress** (outbound private traffic from a function to resources within the same Private Network) will be routed through the private interface, but external traffic (from the Internet) will be through the public endpoint of the function. +- Attaching Serverless Functions to Private Networks **does not incur additional cost**. +- **Egress** (outbound private traffic from a function to resources within the same Private Network) will be routed through the private interface, but external traffic (from the Internet) will be routed through the public endpoint of the function. - All DNS resolution is done through the Private Network (using the VPC DNS server `169.254.169.254`), which allows to resolve `*.internal` records. ## Quotas