fix(vpc): add limitations and faq (#4479)

* fix(vpc): add limitations and faqé

* fix(vpc): corrections

* Apply suggestions from code review

Co-authored-by: Benedikt Rollik <[email protected]>

* Update faq/vpc.mdx

---------

Co-authored-by: Benedikt Rollik <[email protected]>

Author: RoRoJ

faq/vpc.mdx

@@ -10,32 +10,64 @@ category: network
 productIcon: VpcProductIcon
 ---
 
-## What is the difference between VPC and a Private Network?
+## VPC basics
+
+### What is the difference between VPC and a Private Network?
 
 One default VPC (**V**irtual **P**rivate **C**loud) for every available region is automatically created in each Scaleway [Project](/organizations-and-projects/concepts/#project). A VPC offers layer 3 network isolation.
 
-Within each VPC, you can create multiple **Private Networks** and attach Scaleway resources to them, as long as the resources are in an AZ within the network's region. Attached resources can then communicate between themselves in an isolated and secure layer 2 network, away from the public internet.
+Within each VPC, you can create multiple **Private Networks** and attach Scaleway resources to them, as long as the resources are in an AZ within the network's region. Attached resources can then communicate between themselves in an isolated and secure layer 2 network, away from the public internet. VPC routing facilitates communication between resources on the different Private Networks within the VPC.
 
 In the future, VPC will allow you to interconnect your VPC with other networks, define access control lists and more.
 
-## Can I route traffic between different Private Networks on the same VPC?
+### What happened to my classic, mono-AZ Private Network?
+
+When VPC and regional Private Networks moved from Public Beta to General Availability, all mono-AZ Private Networks were automatically migrated to be regional. [Read the documentation](/vpc/reference-content/vpc-migration/) to find out more about the migration process.
+
+### What is a default VPC and why can I not delete it?
+
+Scaleway currently has three regions: Paris, Amsterdam and Warsaw. One default VPC is automatically created for each region, in each Scaleway [Project](/organizations-and-projects/concepts/#project). Any new Private Networks that you create will be added to the default VPC for their region, unless you override this by specifying a different VPC.
+
+You cannot delete a default VPC, but you can rename it, and/or create other VPCs and use those rather than the default VPCs, if you prefer. Default VPCs do not prevent you from deleting an otherwise empty Project.
+
+### How much does it cost to create a VPC, Private Network or reserved private IP addresses?
+
+The following resources and features are free of charge:
+
+- VPCs and VPC routing
+- Private Networks (except for [Elastic Metal servers](https://www.scaleway.com/en/pricing/elastic-metal/) and [Apple silicon](https://www.scaleway.com/en/pricing/apple-silicon/))
+- Reserved private IP addresses on IPAM
+
+### Why can I not delete my Private Network even though it is empty?
+
+You might have a reserved IP address that is blocking the deletion - check out our [troubleshooting page](/vpc/troubleshooting/cant-delete-vpc-pn/).
+
+## VPC routing
+
+### Can I route traffic between different Private Networks on the same VPC?
 
 Yes, [VPC routing](/vpc/concepts#routing) allows you to automize the routing of traffic between resources in different Private Networks within the same VPC.
 
-## Can I route traffic between different Private Networks in different VPCs or different Scaleway Projects?
+### Can I route traffic between different Private Networks in different VPCs or different Scaleway Projects?
 
 This is not currently possible. You may consider using a VPN tunnel to achieve this, for example [IPsec](https://en.wikipedia.org/wiki/IPsec) or [WireGuard](https://en.wikipedia.org/wiki/WireGuard). Scaleway also offers an [OpenVPN InstantApp](/tutorials/openvpn-instant-app/), making it easy to install a VPN directly on an Instance.
 
-## What happened to my classic, mono-AZ Private Network?
+### Why can I not route traffic to my Managed Database on another Private Network?
 
-When VPC and regional Private Networks moved from Public Beta to General Availability, all mono-AZ Private Networks were automatically migrated to be regional. [Read the documentation](/vpc/reference-content/vpc-migration/) to find out more about the migration process.
+Managed Databases do not currently support VPC routing - see our [dedicated documentation](/vpc/reference-content/understanding-routing/#limitations)
+
+## IPAM and IP addressing
+
+### What is IPAM?
+
+**IP** **A**ddress **M**anager (IPAM) is Scaleway’s tool for planning, tracking, and managing the IP address space of Scaleway products. It acts as a single source of truth for the IP addresses of Scaleway resources, and has a number of associated functionalities to help manage your Scaleway IPs, such as the ability to reserve an IP on a Private Network and attach it to a specific resource. See our [IPAM FAQ](/faq/ipam/) for more detail.
 
-## Do resources' IP addresses on a Private Network risk changing when allocated by managed DHCP?
+### Do resources' IP addresses on a Private Network risk changing when allocated by managed DHCP?
 
-With managed DHCP, the IP is allocated when the resource is attached to a Private Network, and released only when the resource is detached or deleted. The IP address remains stable across reboots and long power offs, and will not change except upon deletion or detachment from the Private Network.
+With Private Networks' inbuilt managed DHCP, a private IP is allocated when the resource is attached to a Private Network, and released only when the resource is detached or deleted. The IP address remains stable across reboots and long power offs, and will not change except upon deletion or detachment from the Private Network.
 
 Nonetheless, you can also reserve specific IPs from a Private Network's CIDR block, and use these IPs to attach specific resources, if you prefer. See our documentation on [how to reserve IPs](/ipam/how-to/reserve-ip/).
 
-## How can I manage IP addresses for my Proxmox Virtual Machines (VMs) on Elastic Metal servers?
+### How can I attach my VMs on a Proxmox cluster on Elastic Metal to a Private Network?
 
 We recommend that you use our IPAM product for this purpose. See [how to reserve a private IP address with an attached MAC address](/ipam/how-to/reserve-ip/#how-to-reserve-a-private-ip-address-with-an-attached-mac-address).

pages/vpc/how-to/manage-routing.mdx

@@ -86,6 +86,10 @@ Each VPC has auto-generated, managed routes to local subnets and Public Gateways
 
 For example, you may wish to route all traffic for a certain private IP range to an Instance hosting a manually configured VPN tunnel, allowing secure connection to a corresponding subnet at the other end of the tunnel.
 
+    <Message type="note">
+    Custom routes are scoped to the Private Network(s) of the "next hop" resource. Their routes are not propagated to other Private Networks in the VPC. In the scenario mentioned above of routing traffic towards a VPN tunnel, the origin of the packet must be in the same Private Network as the resource hosting the VPN.
+    </Message>
+
 Follow the steps below to define a custom route:
 
 1. Click **VPC** in the **Network** section of the side menu. The list of your VPCs displays.
@@ -164,3 +168,7 @@ It is not possible to manually delete an auto-generated, managed route. Only cus
 5. Click **Delete route** to confirm.
 
     The custom route is deleted, and you are returned to the list of your VPC's routes.
+
+## Routing limitations and best practices
+
+Read more about the VPC routing feature, including detailed explanations, usage considerations, limitations and best practices in our [dedicated reference content](/vpc/reference-content/understanding-routing/).

pages/vpc/reference-content/understanding-routing.mdx

@@ -63,6 +63,7 @@ Bear in mind the following when activating VPC routing:
 - When routing is activated, all Private Networks on the VPC can communicate.
 - We do not currently offer an ACL/firewall feature to prevent communication between certain Private Networks/resources once routing is activated. However, users may choose to configure ACLs directly on certain resources (e.g. Instances, Elastic Metal servers) using tools such as `iptables` or `nftables`.
 - Public Gateways remain scoped to the Private Network to which they are attached. They do not advertise the default route on other Private Networks in the VPC. For example, an Instance attached to Private Network A will not be able to access the internet via a Public Gateway in Private Network B.
+- Custom routes are scoped to the Private Network(s) of the "next hop" resource. Their routes are not propagated to other Private Networks in the VPC. For example, in the scenario of using a custom route to route traffic towards a VPN tunnel, the origin of the packet must be in the same Private Network as the resource hosting the VPN.
 
 ## Best practices
 
@@ -78,6 +79,5 @@ For example, you may use one Private Network for frontend resources and another
 
 ## Limitations
 
-Managed Databases are not currently compatible with routing. The VPC cannot automatically route between Managed Databases on different Private Networks, or (for example) between a Managed Database on one Private Network and an Instance on a different Private Network.
-
-
+- Managed Databases are not currently compatible with routing. The VPC cannot automatically route between Managed Databases on different Private Networks, or (for example) between a Managed Database on one Private Network and an Instance on a different Private Network.
+- VPC routing does not currently support virtual IPs.