feat(s2svpn): add how tos, reorganise and publish doc for console release

pages/site-to-site-vpn/concepts.mdx

@@ -11,6 +11,8 @@ dates:
 
 An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. When creating a customer gateway, you are asked to provide its ASN, to enable dynamic routing using [BGP](#border-gateway-protocol-bgp) across the VPN. Each BGP peer must have a unique ASN to identify its routing domain.
 
+[Learn more about ASNs](/site-to-site-vpn/faq/#what-is-an-asn-and-why-do-i-have-to-supply-one-when-creating-a-customer-gateway).
+
 ## Border Gateway Protocol (BGP)
 
 **B**order **G**ateway **P**rotocol is a standardized gateway protocol that allows autonomous systems to exchange routing information. Site-to-Site VPN uses BGP to facilitate route propagation, so that the VPC gateway and the customer gateway can learn each other's routes.

pages/site-to-site-vpn/faq.mdx

@@ -7,6 +7,9 @@ dates:
   validation: 2025-12-05
 ---
 
+import image3 from './assets/scaleway-vpn-one-tunnel-both.webp'
+import image4 from './assets/scaleway-vpn-one-tunnel-one-type.webp'
+
 ## Overview
 
 ### What is Site-to-Site VPN?
@@ -29,8 +32,28 @@ No, you cannot use Site-to-Site VPN to connect two Scaleway VPCs. Watch out for
 
 Yes, this use case is entirely possible.
 
+### What is an ASN and why do I have to supply one when creating a customer gateway?
+
+An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. 
+
+When [creating a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/), you are asked to provide its ASN. This is necessary for dynamic routing across the VPN using [BGP](/site-to-site-vpn/concepts/#border-gateway-protocol-bgp). Each BGP peer must have a unique ASN to identify its routing domain.
+
+The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
+
+ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`.
+
+### If I create a connection using gateways' public IPv4 addresses, does this mean the tunnel won't support IPv6 traffic?
+
+No. Be assured that IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. The public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type. 
+
+The following diagram shows a connection with an IPv4 tunnel (i.e., established via the gateways' public IPv4 addresses), configured to route both types of IP traffic:
+<Lightbox image={image3} alt="A diagram shows a VPN gateway and a customer gateway, with a tunnel between them established via their public IPv4 addresses. Both IPv4 and IPv6 traffic flow through the tunnel."/>
+
+The following diagram shows a connection with an IPv6 tunnel (i.e. established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic:
+<Lightbox image={image4} alt="A diagram shows a VPN gateway and a customer gateway, with a tunnel between them established via their public IPv6 addresses. IPv4 traffic flows through the tunnel."/>
+
 ## Pricing and billing
 
 ### How much does Site-to-Site VPN cost?
 
-Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/) for full details.
+Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/#site-to-site-vpn) for full details.

pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx

@@ -0,0 +1,118 @@
+---
+title: How to create and manage a customer gateway
+description: Learn how to create and manage a customer gateway on Scaleway to establish a Site-to-Site VPN. This guide covers setting up the gateway object, configuring ASN and public IP details, and preparing for on-premises device configuration.
+tags: site-to-site-vpn vpn customer-gateway vpn-gateway networking vpc ipsec bgp routing-policy remote-access network-infrastructure on-premises
+dates:
+  validation: 2025-12-31
+  posted: 2025-12-31
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp'
+
+A customer gateway is one of the essential building blocks of a Site-to-Site VPN. It provides the connection point on the remote side of a VPN tunnel.
+
+<Lightbox image={s2sDiagram} alt="A diagram shows how a VPN gateway connects to a Private Network within a Scaleway VPC, and how a VPN connection then links it to a customer gateway " />
+
+This document explains how to create and manage a **customer gateway** with the Scaleway console. 
+
+<Message type="note">
+A customer gateway in this context is an object representing a **real** corresponding physical (or virtual) customer gateway device on your remote infrastructure. You, as the customer, must also [set up the real customer gateway networking device](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/), which can be physical or software-based.
+</Message>
+
+<Requirements />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+## How to create a customer gateway
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab, then **Create Customer gateway**. The creation wizard displays.
+
+3. **Choose a region** in which to create your customer gateway. The resource will be created in this geographical location. Customer gateways must be in the same region as the resources (VPN gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel.
+
+4. **Define connectivity parameters**, to supply Scaleway with essential details of your remote customer gateway device:
+
+    - **IP address**: Provide the public IP address(es) of your customer gateway device, used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single VPN gateway (for dual tunnels, increasing redundancy), provide an address for each IP type.
+    - **ASN**: Provide the unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks.
+
+    <Message type="tip">
+    The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future.
+
+    ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`.
+    </Message>
+
+5. **Enter a name and (optionally) tags** for the customer gateway.
+
+6. Click **Create customer gateway** to finish.
+
+Your gateway is created, and you are directed to its **Overview** page.
+
+To continue setting up a Site-to-Site VPN, [create a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) or [create a connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/).
+
+## How to view a customer gateway's details
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the customer gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+Here you can view the gateway's:
+  - Region
+  - ID
+  - ASN
+  - Public IP addresses
+  - Number of [VPN connections](/site-to-site-vpn/concepts/#connection) it is used in
+
+## How to edit a customer gateway
+
+Currently, the only parameters of a customer gateway that can be edited after creation are its **name** and **tags**.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the customer gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+4. Click the **Settings** tab.
+
+5. Make your edits as required:
+    - Click directly on the gateway's name at the top of the page to edit it.
+    - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag.
+
+## How to configure a customer gateway device
+
+Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device.
+
+Creating the customer gateway on the Scaleway side does not automatically configure the corresponding physical or virtual device. This must be set up separately by you or your network administrator to establish the Site-to-Site VPN connection.
+
+See our [dedicated page](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/) for advice on configuring your customer gateway device.
+
+## How to delete a customer gateway
+
+You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on any VPN connections linked to the customer gateway, before you can delete the gateway.
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Customer gateways** tab.
+
+3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays.
+
+4. Click the **Settings** tab.
+
+5. Click **Delete customer gateway**.
+
+    A pop-up displays, informing you that any [VPN connections](/site-to-site-vpn/concepts/#connection) using this gateway will be auto-deleted.
+
+    You must manually delete any other objects associated with the gateway, such as VPN gateways or routing policies, if you do not need them anymore.
+
+6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button.
+
+The gateway is deleted, and you are returned to the list of your customer gateways.
+
+
+
+

pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx

@@ -0,0 +1,87 @@
+---
+title: How to create and manage routing policies
+description: Find out how to create a routing policy for your Scaleway Site-to-Site VPN. Whitelist incoming and outgoing route announcements, so that traffic can flow securely over your VPN connection.
+dates:
+  validation: 2025-12-31
+  posted: 2025-12-31
+tags: site-to-site-vpn vpn routing-policy bgp border-gateway-protocol network security vpc route-propagation ipv4 ipv6
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp'
+
+A routing policy is one of the essential building blocks of a Site-to-Site VPN:
+
+<Lightbox image={s2sDiagram} alt="A diagram shows how a VPN gateway connects to a Private Network within a Scaleway VPC, and how a VPN connection then links it to a customer gateway " />
+
+A Site-to-Site VPN connection uses [**B**order **G**ateway **P**rotocol](/site-to-site-vpn/concepts/#border-gateway-protocol-bgp) to exchange routing information between the VPN gateway on the Scaleway side, and the customer gateway on the remote side. Each side advertises IP prefixes for its own internal subnets and resources, to allow the other side to dynamically learn and update its internal routes, facilitating efficient traffic flow. 
+
+However, by default, **all routes through a VPN tunnel are blocked**. You must create and attach [routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy/), to set IP prefix filters for the route advertisements you want to whitelist. This facilitates traffic flow through the VPN tunnel.
+
+A VPN connection must have a **minimum of one** and a **maximum of two** attached routing policies, one for each IP traffic type to be routed (IPv4 and/or IPv6).
+
+When creating a routing policy, you specify one or many IP ranges representing the outgoing routes to announce from the Scaleway VPN gateway, and one or many IP ranges representing the incoming route announcements to accept from the customer gateway. When [route propagation](/site-to-site-vpn/concepts/#route-propagation) is activated, the route ranges defined in the routing policy are whitelisted, and traffic can flow through the tunnel along these routes.
+
+## How to create a routing policy
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click the **Routing policies** tab, then **Create routing policy**. The creation wizard displays.
+
+3. Choose a region for the policy. It can only be attached to VPN connections within the same region.
+
+4. Define the type of IP traffic to be covered by the routing policy.
+
+5. Whitelist the outgoing routes to allow. For each entry:
+    - Enter an IP prefix to define a range of route announcements to whitelist, e.g.  `172.16.4.0/22`. 
+    - Click **Add** when complete.
+
+        <Message type="tip">
+        Routes within these destinations will be propagated, allowing traffic from your remote infrastructure to be routed through the VPN tunnel to your Scaleway VPN gateway. For example, adding `172.16.4.0/22` whitelists all 1,024 IPs in this block, from `172.16.4.0` to `172.16.7.255`.
+        </Message>
+
+6. Whitelist the incoming routes to allow, in the same way you did for outgoing routes. Outgoing routes concern announcements to accept from the remote infrastructure. Traffic can be routed through the VPN tunnel from your Scaleway VPN gateway to your remote infrastructure along these routes.
+
+7. Enter a **name** for the policy, or leave the randomly-generated name in place. Optionally, you can also add **tags**.
+
+8. Click **Create routing policy**.
+
+The policy is created, and you are returned to the listing of your routing policies.
+
+Remember to [attach the policy to a VPN connection](/site-to-site-vpn/how-to/create-manage-routing-policy/) for it to take effect. Each VPN connection can have only one IPv4 and one IPv6 policy attached to it, but a single routing policy can be attached to multiple VPN connections.
+
+## How to edit an existing routing policy
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click on the **Routing policies** tab. A list of your routing policies displays. Use the **region selector** at the top of the page to filter for the region of the routing policy you want to edit. 
+
+3. Click <Icon name="more" /> next to the routing policy to edit, and select **Edit** in the menu that displays.
+
+4. The **Edit routing policy** wizard displays. See the dedicated documentation on [creating and attaching a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for help with routing policies.
+
+5. Make the required edits, and click **Edit routing policy**.
+
+        A warning displays, to remind you that modifications will immediately be propagated on VPN connections using this policy.
+
+6. Click **Save**.
+
+The policy is modified and modifications are immediately applied.
+
+## How to attach a routing policy to a connection
+
+See our [dedicated documentation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-attach-or-detach-a-routing-policy).
+
+## How to delete a routing policy
+
+1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays.
+
+2. Click on the **Routing policies** tab. A list of your routing policies displays. Use the **region selector** at the top of the page to filter for the region of the routing policy you want to delete. 
+
+3. Click <Icon name="more" /> next to the routing policy to delete, and select **Delete** in the menu that displays.
+
+        A pop-up displays, informing you that this action will permanently delete the routing policy.
+
+4. Click **Delete policy** to confirm.
+
+        The routing policy is deleted, and you are returned to the **Routing policies** tab.