fix(pgw): add updated bastion and allowed ips feature (#4060)

* fix(pgw): add updated bastion and allowed ips feature

* Apply suggestions from code review

Co-authored-by: Jessica <[email protected]>
Co-authored-by: nerda-codes <[email protected]>

* fix(pgw): finish wlloed ips feature

* fix(various): fix unwanted files

* fix(pgw): remove asterisk

* fix(pgw): unwanted files

* fix(pgw): add message

---------

Co-authored-by: Jessica <[email protected]>
Co-authored-by: nerda-codes <[email protected]>

Author: 3 people

pages/public-gateways/concepts.mdx

@@ -12,6 +12,13 @@ categories:
   - network
 ---
 
+## Allowed IPs
+
+The Allowed IPs feature is only available to [IPAM-mode](#ipam) Public Gateways. Legacy gateways are not compatible with this feature.
+</Message>
+
+Allowed IPs is a feature of [SSH bastion](#ssh-bastion). It allows you to specify a list of IP address ranges which should be allowed to connect to the SSH bastion and the resources behind it. All other IP addresses will be blocked from connecting. Find out more in the [SSH bastion](/public-gateways/how-to/use-ssh-bastion/#how-to-configure-allowed-ips) documentation.
+
 ## Default route
 
 The Public Gateway can advertise a default route to resources on an attached Private Network, which takes effect when the IP destination address for a packet is not known on the network itself. In effect, resources in a Private Network will know to route packets through the Public Gateway if the destination IP address is not a host on the Private Network itself.
@@ -113,7 +120,7 @@ See [IP mobility](#ip-mobility).
 
 ## SSH bastion
 
-[SSH bastion](/public-gateways/how-to/use-ssh-bastion/) is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all the SSH keys held in your Project credentials are imported to the SSH bastion, providing a single point of entry. This makes management of your infrastructure easier and more secure.
+[SSH bastion](/public-gateways/how-to/use-ssh-bastion/) is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all the SSH keys held in your Project credentials are imported to the SSH bastion, providing a single point of entry. This makes management of your infrastructure easier and more secure. The [Allowed IPs](#allowed-ips) feature lets you control which public IP addresses can connect to the resources behind your bastion.
 
 ## Tags
 

pages/public-gateways/how-to/assets/scaleway-activate-ssh-bastion-popup.webp

@@ -13,7 +13,9 @@ categories:
   - network
 ---
 
-SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all [SSH keys held in your Project](https://console.scaleway.com/project/ssh-keys/) are imported to the SSH bastion, providing a single point of entry. You can then connect to resources behind the bastion (connected to the same Private Network as the Public Gateway) via the bastion. This makes management of your infrastructure easier and more secure, as you do not need to expose your other resources to the internet in order to connect to them, neither do you need to upload SSH keys to individual resources.
+SSH bastion is a server dedicated to managing connections to the infrastructure behind your Public Gateway. When you activate SSH bastion on your Public Gateway, all [SSH keys held in your Project](https://console.scaleway.com/project/ssh-keys/) are imported to the SSH bastion, providing a single point of entry. You can then connect to resources connected to the same Private Network as the Public Gateway, via the bastion. This makes management of your infrastructure easier and more secure, as you do not need to expose your other resources to the internet in order to connect to them, neither do you need to upload SSH keys to individual resources.
+
+The [Allowed IPs](#how-to-configure-allowed-ips) feature lets you control which public IPs can access resources behind the bastion. 
 
 <Macro id="requirements" />
 
@@ -27,23 +29,61 @@ SSH bastion is a server dedicated to managing connections to the infrastructure
 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu.
 2. Click the Public Gateway for which you want to activate SSH bastion. You are taken to the **Overview** page for that Public Gateway.
     <Lightbox src="scaleway-ssh-bastion-activate.webp" alt="" />
-3. Under **SSH Bastion** click the **Activate** button. A pop-up displays:
+3. Under **SSH Bastion**, click **Enable SSH bastion** to activate the feature. A pop-up displays:
     <Lightbox src="scaleway-activate-ssh-bastion-popup.webp" alt="" />
 4. Enter the port that you want your SSH bastion to listen on (or leave the default port in place).
     <Message type="tip">
-      The default port is 61000. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a [NAT rule](/public-gateways/concepts/#nat).
+      The default port is 61000 (ours), to avoid conflicts. When setting your own port, you must choose a port number between 1024 and 59999. The port that the SSH bastion listens on must not be a port already in use by a [NAT rule](/public-gateways/concepts/#nat).
     </Message>
 5. Copy the command to connect to a resource, and click **Save SSH bastion settings**.
 
-    You are redirected to your Public Gateway's **Overview** page, where SSH bastion is now activated. All the SSH keys in your [Project credentials](/iam/concepts/#api-key) at the time of activation are copied to the SSH bastion.
+    You are redirected to your Public Gateway's **Overview** page, where SSH bastion is now activated. All the SSH keys in your [Project](/organizations-and-projects/concepts/#project) at the time of activation are copied to the SSH bastion.
+
+## How to configure allowed IPs
+
+<Message type="note">
+The Allowed IPs feature is only available to [IPAM-mode](/public-gateways/concepts/#ipam) Public Gateways. Legacy gateways are not compatible with this feature.
+</Message>
+
+The [Allowed IPs](#how-to-configure-allowed-ips) feature lets you control which public IPs can connect to resources behind the bastion. All IPs are blocked except those specified in your Allowed IPs list. 
+
+When you first activate SSH bastion, the Allowed IPs list has one entry: a default IP range of `0.0.0.0/0` which gives access to **all** public IPs.
+
+<Lightbox src="scaleway-ssh-bastion-allowed-ips.webp" alt="The Public Gateway's dashboard in the Scaleway console shows that SSH bastion is activated, and the Allowed IPs list contains one entry: 0.0.0.0/0" />
+
+### How to allow all IPs
+
+If you do **not** want to restrict connections to the resources behind the bastion to specific public IPs only, **leave the default entry of `0.0.0.0/0` in place**. This IP range encompasses all possible public IPs, so will allow any public IP address to connect to the bastion (as long as they have a valid SSH key). No further configuration is required.
+
+If you have deleted the default entry, you can re-add an entry for `0.0.0.0/0` at any time. Click the **Add allowed IPs** button, and add a single entry for `0.0.0.0/0` to restore access to all public IPs.
+
+### How to restrict access to certain IPs
+
+To restrict connections to resources behind the bastion to specific public IPs only, you must delete the default `0.0.0.0/0` entry, and add entries for the specific IP ranges that you want to allow. Follow the steps below:
+
+1. Ensure you have [activated SSH bastion](#how-to-activate-ssh-bation).
+2. In the **Allowed IPs** list, delete the default IP range entry `0.0.0.0/0` by clicking the <Icon name="delete"/> button next to it.
+    A pop-up displays, asking you to confirm that you want to delete this IP range.
+3. Type **DELETE** in the box, then click **Delete allowed IP range**.
+    The IP range is deleted and you are returned to the Allowed IPs list.
+4. Click the **+ Add allowed IPs** button.
+    A pop-up displays, asking you to enter the IPv4 address ranges to allow.
+    <Lightbox src="scaleway-add-allowed-ips.webp" alt="A pop-up screen from the Scaleway console, with a text box to allow the user to enter multiple IPv4 ranges separated by newlines. The instructions say: Add one or more IPv4 address ranges to allow. Always include the subnet mask. Use a tool like ipcalc if you need help calculating the subnet of your IP ranges." />
+5. Enter the IPv4 address ranges you to want to allow to connect to your SSH bastion. In each case, include the subnet mask (use `/32` for single addresses). You can add multiple IP ranges in one go by separating them with new lines.
+6. Click the **Add IPs** button.
+    The IPs are added, and you are returned to the Allowed IPs list.
+
+Repeat steps 4 - 6 to add more IP range entries, if you wish.
+
+You can delete an entry from the list at any time by clicking the <Icon name="delete" /> button next to it.
 
 ## How to reimport SSH keys
 
-If you add new SSH keys to your [Project credentials](/iam/concepts/#api-key) after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys.
+If you add new SSH keys to your [Project](/organizations-and-projects/concepts/#project) after activating SSH bastion, you will need to perform a reimport to update the bastion with the new keys.
 
 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu.
 2. Click the Public Gateway for which you want to update the SSH bastion. You are taken to the **Overview** page for that Public Gateway.
-3. Under **SSH Bastion** click the **Reimport SSH keys** button.
+3. Under **SSH Bastion** click the **Reimport list** button.
     <Lightbox src="scaleway-ssh-bastion-reimport.webp" alt="" />
 
     Your SSH bastion is updated with the new SSH keys.
@@ -60,18 +100,30 @@ You can connect to a resource behind the bastion using its private IP address on
 
 ### How to connect using the resource's fully-qualified domain name (FQDN)
 
-The domain to use is set when the Public Gateway is attached to the Private Network. Therefore, the FQDN to use depends on how you made this attachment:
+The command to use is:
 
-- **Via the Scaleway console**: The FQDN takes the form `resource-name.priv`
-- **Via Terraform/OpenTofu**: The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` is [this](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/vpc_public_gateway_dhcp#dns_local_name) Terraform/OpenTofu option.
-- **Via the Scaleway CLI or API**:  The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` follows the specification [here](https://www.scaleway.com/en/developers/api/public-gateway/#path-dhcp-create-a-dhcp-configuration), defaulting to `.priv`.
+```bash
+ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@FQDN
+```
+q
+The FQDN is `<resource-name>.<private-network-name>.internal`.
 
-Carry out the following command on your terminal to connect to a resource inside your Private Network. Remember to replace `FQDN` with the FQDN in the format specified above.
+When connecting as the user `alex` on an Instance named `scw-frosty-cannon` on a Private Network named `pvn-silly-goodall`, where the Public Gateway has an IP `51.158.125.88` and SSH bastion is configured on port 6100, the full connection command  would therefore be:
 
 ```bash
-ssh -J bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:61000 user@FQDN
+ssh -J bastion@51.158.125:61000 [email protected]
 ```
 
+<Message type="note">
+
+For [Legacy Private Networks](/public-gateways/concepts/#ipam) not in IPAM mode and still using DHCP configuration objects, the FQDN may be different. The domain to use was set when the Public Gateway was attached to the Private Network. Therefore, the FQDN to use depends on how you made this attachment:
+
+- **Via the Scaleway console**: The FQDN takes the form `resource-name.priv`
+- **Via Terraform**: The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` is [this](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/vpc_public_gateway_dhcp#dns_local_name) Terraform option.
+- **Via the Scaleway CLI or API**: The FQDN takes the form `resource-name.dns_local_name` where `dns_local_name` follows the specification [here](https://www.scaleway.com/en/developers/api/public-gateway/#path-dhcp-create-a-dhcp-configuration), defaulting to `.priv`.
+
+</Message>
+
 ### How to edit your SSH configuration files for connection
 
 Carry out the following steps to avoid the need to repeat `-J bastion@<public-IP-of-gateway>:61000` in your SSH connection commands. The following steps must be repeated on all local machines that want to connect to a resource behind the SSH bastion in this way.
@@ -81,12 +133,12 @@ Carry out the following steps to avoid the need to repeat `-J bastion@<public-IP
     nano ~/.ssh/config
     ```
     Paste the following code into the file, then save and exit. Ensure that you make the following replacements:
-      - `.priv`: If you attached the Public Gateway to the Private Network via the console, this is the correct value. However, if you used another method such as Terraform/OpenTofu, API, or CLI you may need to replace this value - see [above](#how-to-connect-using-the-resources-fully-qualified-domain-name-fqdn).
+      - `.<private-network-name>`: If your Public Gateway is in IPAM mode, this is the correct value. However, if you have a legacy gateway, you may need to replace this value with `.priv` or `<dns_local_name>` - see [above](#how-to-connect-using-the-resources-fully-qualified-domain-name-fqdn).
       - `PUBLIC_IP_OF_PUBLIC_GATEWAY`: The public IP address of your gateway
       - `SSH_BASTION_PORT`: The port you set when activating SSH bastion on your gateway
 
     ```bash
-    Host *.priv
+    Host *.<private-network-name>
       ProxyJump bastion@PUBLIC_IP_OF_PUBLIC_GATEWAY:SSH_BASTION_PORT
     ```
 2. Alternatively, to configure at system-wide level, open your system-wide configuration file on your local machine with a text-editor such as `nano`: 
@@ -100,14 +152,20 @@ Carry out the following steps to avoid the need to repeat `-J bastion@<public-IP
     ssh FQDN
     ```
 
-## How to edit or deactivate SSH bastion
+## How to edit the SSH bastion port
 
 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu.
-2. Click the Public Gateway for which you want to edit or deactivate SSH bastion. You are taken to the **Overview** page for that Public Gateway.
-3. Under **SSH Bastion** click the "edit" icon (<Icon name="edit" />) **Edit** button. A pop-up displays.
-4. Edit your SSH bastion as required. You can make the following edits:
-    - Use the <Icon name="toggle" /> toggle to disable SSH bastion.
-    - Change the port on which your SSH bastion listens.
-5. Click **Save settings**.
+2. Click the Public Gateway you want to edit SSH bastion for. You are taken to the **Overview** page for that Public Gateway.
+3. Under **SSH Bastion** click **Edit**, next to the port number. A pop-up displays.
+4. Edit your SSH bastion port as required.
+5. Click **Save**.
 
     Your edits are saved, and you are redirected to your Public Gateway's **Overview** page.
+
+## How to deactivate SSH bastion
+
+1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu.
+2. Click the Public Gateway you want to deactivate SSH bastion on. You are taken to the **Overview** page for that Public Gateway.
+3. Under **SSH Bastion** use the toggle <Icon name="toggle"/> to deactivate the bastion.
+
+    SSH bastion is deactivated on this gateway. You can reactivate it at any time.

pages/public-gateways/how-to/assets/scaleway-add-allowed-ips.webp

@@ -57,11 +57,11 @@ When you activate SSH bastion on your Public Gateway, all [SSH keys held in your
 
 1. Click **Public Gateways** in the **Network** section of the Scaleway console side menu.
 2. Click the Public Gateway for which you want to activate SSH bastion. You are taken to the **Overview** page for that Public Gateway.
-3. Under **SSH Bastion**, click the **Activate** button. A pop-up displays.
+3. Under **SSH Bastion**, click **Enable SSH bastion**. A pop-up displays.
 4. Enter the port that you want your SSH bastion to listen on (or leave the default port in place).
     <Message type="tip">
       The default port is `61000`. When setting your own port, you must choose a port number between `1024` and `59999`. The port that the SSH bastion listens on must not be a port already in use by a [NAT rule](/public-gateways/concepts/#nat).
     </Message>
-5. Copy the command to connect to a resource, and click **Save SSH bastion settings**.
+5. Copy the command to connect to a resource, and click **Activate**.
 
-    You are redirected to your Public Gateway's **Overview** page, where SSH bastion is now activated. All the SSH keys in your [Project credentials](/iam/concepts/#api-key) at the time of activation are copied to the SSH bastion. The command to use to connect to resources behind the bastion is displayed. See the [SSH bastion documentation](/public-gateways/how-to/use-ssh-bastion/) for further help.
+    You are redirected to your Public Gateway's **Overview** page, where SSH bastion is now activated. All the SSH keys in your [Project credentials](/iam/concepts/#api-key) at the time of activation are copied to the SSH bastion. The command to use to connect to resources behind the bastion is displayed. See the [SSH bastion documentation](/public-gateways/how-to/use-ssh-bastion/) for further help, including information about restricting connections via the **Allowed IPs** feature.