fix(managed-inf): update docs for managing access (#5366)

* fix(ai): fix access doc

* fix(ai): managed inf network access docs

* Apply suggestions from code review

Co-authored-by: Néda <[email protected]>

* Apply suggestions from code review

Co-authored-by: Jessica <[email protected]>

---------

Co-authored-by: Néda <[email protected]>
Co-authored-by: Jessica <[email protected]>

Author: 3 people

menu/navigation.json

@@ -917,7 +917,7 @@
                     "slug": "configure-autoscaling"
                   },
                   {
-                    "label": "Manage allowed IP addresses",
+                    "label": "Manage access to a deployment",
                     "slug": "manage-allowed-ips"
                   },
                   {

pages/managed-inference/concepts.mdx

@@ -7,9 +7,7 @@ dates:
 ---
 ## Allowed IPs
 
-Allowed IPs are single IPs or IP blocks that have the [required permissions to remotely access a deployment](/managed-inference/how-to/manage-allowed-ips/). They allow you to define which host and networks can connect to your Managed Inference endpoints. You can add, edit, or delete allowed IPs. In the absence of allowed IPs, all IP addresses are allowed by default.
-
-Access control is handled directly at the network level by Load Balancers, making the filtering more efficient and universal and relieving the Managed Inference server from this task.
+The **Allowed IPs** feature is no longer available for Managed Inference deployments. Use one of the alternative methods detailed in our [dedicated documentation](/managed-inference/how-to/manage-allowed-ips/) to restrict access to your Managed Inference deployments.
 
 ## Context size
 

pages/managed-inference/how-to/assets/scaleway-api-authentication.webp

@@ -1,44 +1,99 @@
 ---
-title: How to manage allowed IP addresses for Managed Inference deployments
-description: This page explains how to configure allowed IP addresses for Managed Inference deployments
+title: How to manage access to your Managed Inference deployments
+description: This page explains how to manage and restrict access and authentication for your Managed Inference deployments
 tags: managed-inference ai-data ip-address
 dates:
-  validation: 2025-03-19
+  validation: 2025-07-31
   posted: 2024-03-06
 ---
 import Requirements from '@macros/iam/requirements.mdx'
 
+import apiAuthentication from './assets/scaleway-api-authentication.webp'
 
-Allowed IPs restrict the IPs allowed to access your Managed Inference endpoints. In the absence of allowed IPs, all IP addresses are allowed by default.
+<Message type="important">
+The **Allowed IPs** feature via ACLs is no longer available for Managed Inference deployments. We recommended using one of the alternative methods detailed in this document to restrict access to your Managed Inference deployments.
+</Message>
+
+You can manage and restrict access to your Managed Inference deployments via the following methods:
+
+- Enable or disable authentication by API key
+- Use [IAM](/iam/) features to control which API keys are accepted and under what conditions (including IP-based restrictions)
+- Remove your deployment's public endpoint, and allow controlled access only via Private Networks
+
+Read on for full details.
 
 <Requirements />
 
   - A Scaleway account logged into the [console](https://console.scaleway.com)
   - A [Managed Inference deployment](/managed-inference/quickstart/)
   - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
 
+## How to enable or disable authentication by API key
+
+By default, when you create your Managed Inference deployment, authentication by API key is automatically enabled. This means that when the deployment is accessed via either its public or private endpoint, a valid Scaleway API key must accompany all requests.
+
+You can disable API key authentication at any time, for either the public endpoint, the private endpoint, or both.
+
+1. Click **Managed Inference** in the **AI** section of the [Scaleway console](https://console.scaleway.com) side menu. A list of your deployments displays.
+2. From the drop-down menu, select the geographical region containing your deployment.
+3. Click the deployment whose authentication you want to manage. The deployment's dashboard displays.
+4. Click the **Security** tab.
+5. In the **Authentication** panel, use the toggles <Icon name="toggle" /> to enable or disable authentication by API key for the public and/or private endpoint.
+
+<Lightbox image={apiAuthentication} alt="A screenshot of the Scaleway console shows the toggles for API key authentication first for public endpoints, then for private endpoints" /> 
+
+## How to manage access to a deployment with IAM
+
+When [authentication by API key](#enable-or-disable-authentication-by-api-key) is enabled, a valid [Scaleway API key](/iam/concepts/#api-key) must accompany all requests sent to your deployment's endpoint.
+
+An API key is considered valid to access a deployment when:
+
+- It belongs to the [Owner](/iam/concepts/#owner) of the Organization which owns the deployment, or
+- It belongs to a [Member](/iam/concepts/#member) or [Application](/iam/concepts/#application) of the Organization which owns the deployment, and the Member/Application has appropriate [IAM permissions](/iam/reference-content/permission-sets/).
+
+There are two IAM permission sets specific to Managed Inference deployments: `InferenceFullAccess` (allowing access to create, read, update, and delete a deployment) and `InferenceReadOnly` (allowing read-only access). Alternatively, wide-scoped permission sets such as `AllProductsFullAccess` will also allow access.
+
+Permissions are attributed via [policies](/iam/concepts/#policy), which are then attached to a Member or Application. 
+
+You can further restrict access by imposing **conditions** when defining a policy. This enables you to allow access only to authorized API keys when presented by specific user agents (e.g., Terraform), from certain IP addresses, or during defined dates and times.
+
+### How to manage deployment access as an Organization Owner or Administrator
+
 <Message type="note">
-  Allowed IP configuration is only available for public endpoints.
+If you only want to access the deployment yourself, and you are the Owner of the Organization that created the deployment, simply [generate an API key](/iam/how-to/create-api-keys/) for yourself, and it will automatically have full rights to access and manage the deployment.
+
+Read on if you want to manage access to your deployment for others.
 </Message>
 
-## How to allow an IP address to connect to a deployment
+1. [Invite Members](/iam/how-to/manage-members/) (other humans) to your Organization, or [create Applications](/iam/how-to/create-application/) (non-human users).
+2. Create and attach a [policy](/iam/how-to/create-policy/) to the Member or Application, defining the permissions they should have in your Organization by selecting permission sets (e.g. `InferenceFullAccess`). If desired, define [conditions](/iam/concepts/#conditions) as part of the policy, to further restrict access based on user agent type, date/time or IP address.
 
-1. Click **Managed Inference** in the **AI** section of the [Scaleway console](https://console.scaleway.com) side menu. A list of your deployments displays.
-2. From the drop-down menu, select the geographical region you want to manage.
-3. Click a deployment name or <Icon name="more" /> > **More info** to access the deployment dashboard.
-4. Click the **Security** tab and navigate to the **Allowed IPs** section. A list of your allowed IP addresses displays.
-5. Click **Add allowed IP**. The IP can be a single IP or an IP block.
-    <Message type="note">
-      The IP must be specified in CIDR format, i.e. `198.51.100.135/32` for a single IP or `198.51.100.0/24` for an IP block.
-    </Message>
-6. Enter a single IP address or a subnetwork.
-    <Message type="note">
-      To restore initial settings and allow connections from all IPs, delete all allowed IPs from the list.
-    </Message>
-
-## How to delete an IP address from the allowed list
-
-1. Go to your allowed IP address list.
-2. Click <Icon name="more" /> and select **Delete**.
-3. A pop-up displays. Type **DELETE** to confirm.
-4. Click **Delete allowed IP**.
+All API keys generated by the Member, or for the Application, will automatically inherit the permissions you defined, and can be used to access a Managed Inference deployment's endpoint depending on those permissions.
+
+You can revoke access to a deployment at any time by [modifying or deleting the policy](/iam/how-to/manage-policies/) attached to the Member or Application in question.
+
+### How to access a deployment as an Organization Member
+
+Your access to Managed Inference deployments owned by an Organization in which you are a Member depends on the IAM permissions attributed to you by the Organization's Owner or administrators.
+
+Your permissions will be automatically applied to any API keys you generate for yourself in the Scaleway console. Check with your Organization Owner if you are unsure that you have the right permissions to access a Managed Inference deployment.
+
+1. Log into the [Scaleway console](https://console.scaleway.com) and [generate an API key for yourself](/iam/how-to/create-api-keys/).
+2. Use this API key for authentication when sending requests to a Managed Inference deployment.
+
+## How to restrict access over Private Networks
+
+For enhanced security, you can remove your deployment's public endpoint, attach it to a Private Network, and allow access only via its private endpoint. Only resources within the Private Network's VPC will be able to access the deployment, and they must have downloaded the resource's TLS certificate.
+
+You can still require API key authentication via the private endpoint, and use the methods described above to fine-tune API key restrictions and access. In addition, you can also use VPC features such as Network ACLs for enhanced control and security.
+
+1. [Create your deployment](/managed-inference/how-to/create-deployment/) without checking the **Allow public connections** box, or remove the public endpoint via its **Overview** screen in the console if you already created it with a public endpoint.
+2. Ensure the deployment is [attached to a Private Network](/managed-inference/how-to/managed-inference-with-private-network/#how-to-attach-a-private-network-to-a-managed-inference-deployment).
+3. Transfer the deployment's [TLS certificate](/managed-inference/how-to/managed-inference-with-private-network/#how-to-send-inference-requests-in-a-private-network) to the resources in the VPC that need to access the deployment.
+4. (Optional) Ensure that API key authentication is enabled, and use [policies](/iam/how-to/create-policy/) to define IAM-based rules and conditions for access.
+5. (Optional) Use VPC features such as [Network ACLs](/vpc/reference-content/understanding-nacls/) to place IP-based restrictions on which resources in the VPC can access the deployment.
+6. Follow the instructions in the [dedicated documentation](/managed-inference/how-to/managed-inference-with-private-network/#how-to-send-inference-requests-in-a-private-network) for sending requests to your deployment in a Private Network.
+
+<Message type="tip">
+If your VPC has a Public Gateway advertising a default route, external resources can still access the deployment via the Public Gateway (with correct authentication). [Read more about Public Gateways](/public-gateways/).
+</Message>

pages/managed-inference/how-to/manage-allowed-ips.mdx

@@ -61,9 +61,13 @@ Your Managed Inference model will be deployed, and it will be attached to the se
 
 ## How to send inference requests in a Private Network
 
+<Message type="note">
+For more information on managing access to deployments in a Private Network, see [How to manage access to deployments](/managed-inference/how-to/manage-allowed-ips/).
+</Message>
+
 1. [Create an Instance](/instances/how-to/create-an-instance/) which will host the inference application.
     <Message type="important">
-      Ensure the Instance [is attached to the same Private Network](/instances/how-to/use-private-networks/) as your Managed Inference deployment.
+      Ensure the Instance is attached to a Private Network in the same VPC as your Managed Inference deployment.
     </Message>
 2. Download the TLS certificate from your Managed Inference deployment, available from the **Overview** tab in the **Endpoints** section.
     <Lightbox image={image2} alt="A screenshot of the Managed Interface product overview tab in the Scaleway console, highlighting the TLS certificate download section" size="medium" />
@@ -106,7 +110,7 @@ Your Managed Inference model will be deployed, and it will be attached to the se
         "stream": False
     }
 
-    headers = {"Authorization": "Bearer " + "<SCW_SECRET_KEY>"} # ADD IAM KEY IF NECESSARY
+    headers = {"Authorization": "Bearer " + "<SCW_SECRET_KEY>"} # ADD API KEY, IF API KEY AUTHENTICATION IS ENABLED FOR THE PRIVATE ENDPOINT
 
     response = requests.post("<PRIVATE_ENDPOINT_URL>/v1/chat/completions",
                             headers=headers, json=PAYLOAD, stream=False, verify='<CERT_NAME>.pem')

pages/managed-inference/how-to/managed-inference-with-private-network.mdx

@@ -37,7 +37,6 @@ Scaleway's Managed Inference services adhere to the following data usage policie
 - **Hosting:** Models deployed or consumed for inference are hosted in Europe within the data center region specified by the customer.
 - **Encryption**: All traffic between the customer and the inference service is encrypted using in-transit TLS encryption to ensure data protection during transmission.
 - **Endpoint Security**: Public-facing endpoints are secured with API key tokens.
-- **Allowed IPs**: Public endpoints can be configured to restrict access to specific IP addresses or IP blocks.
 - **Virtual Private Cloud (VPC)**: The service can be hosted in a Virtual Private Cloud within private subnets. Access to the service can be restricted based on allowed IP ranges.
 
 ### Legal and compliance