Connect a server in a CDC to a dedicated server in another pool

Last update: June 05 2026

You can connect a server in a CDC and a dedicated server that are located in different pools. Connectivity is provided over a private network via a Selectel Global Router.

How it works

A dedicated server in a CDC connects to a global router through a firewall. For this, the firewall behind which the server is located must be connected to private network switches.

A dedicated server in another pool also connects to a global router. Dedicated servers, except for some Chipcore Line servers, are connected to private network switches by default.

Connect a server in a CDC to a dedicated server in another pool via a private network

1. Connect the firewall to a private network.
2. Create a global router.
3. Connect a network and subnet to the router leading to the dedicated server VLAN outside the CDC.
4. Connect a network and subnet to the router leading to the CDC.
5. Configure the firewall in the CDC.
6. Configure the dedicated server outside the CDC.

1. Connect the firewall to a private network

1. Create a ticket to connect the firewall in the CDC to a private network. In the ticket, specify:

   • the number of the firewall in the CDC; you can find it in the control panel: in the top menu, click Products → Firewalls → firewall page;
   • the port number on the firewall for connecting to the private network switch.

2. Wait for a response from a Selectel representative confirming that the firewall in the CDC has been connected to the private network.

2. Create a global router

1. In the Control panel, in the top menu, click Products and select Global Router.
2. Click Create router. A limit of five global routers is set for each account.
3. Enter the router name.
4. Click Create.
5. If the router was created with the status ERROR or is stuck in one of the statuses, create a ticket.

3. Connect a network and subnet to the router leading to the dedicated server VLAN outside the CDC

You can connect a new or existing network to the router if it is not already connected to any of the account's global routers.

1. In the control panel, on the top menu, click Products and select Global Router.

2. Go to the router page → Networks tab.

3. Click Create network.

4. Enter a network name. It will only be used in the control panel.

5. Select the Servers and Equipment service.

6. Select a location for the network.

7. Select or enter a VLAN.

8. If you want to create a network up to an internal segment (Q-in-Q), specify its tag—a number from 2 to 4094. If a network already exists for the VLAN, you must specify the Q-in-Q segment of this VLAN.

9. Enter a subnet name. It will only be used in the control panel.

10. Enter the CIDR—the IP address and mask of the private subnet. You can enter a new subnet or an existing private server subnet if it has not yet been added to any of the global routers in the account. The subnet must meet the following conditions:

    • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
    • have a size of at least /29, as three addresses will be occupied by Selectel network equipment;
    • do not overlap with other subnets added to this router—IP addresses must not repeat across subnets on the same router;
    • if a Managed Kubernetes cluster on cloud servers is to be connected to the global router network, the subnet must not overlap with the 10.10.0.0/16, 10.96.0.0/12, 10.250.0.0/16 and 10.251.0.0/24. If a cluster on dedicated servers is connected — with the 10.10.0.0/16, 10.222.0.0/16, 10.250.0.0/16, 10.251.0.0/24 and 172.250.0.0/14 ranges. These subnets are used for Managed Kubernetes internal addressing, and using them may cause conflicts in the global router network.

11. Enter the gateway IP or leave the first address from the subnet that is assigned by default. Do not assign this address to your devices to avoid network disruption.

12. Enter the service IPs or leave the last addresses from the subnet that are assigned by default. Do not assign these addresses to your devices to avoid network disruption.

13. Click Create network.

14. Optional: check the network topology on the global router. In the control panel, on the top menu, click Products → Global Router → router page → Network topology.

15. If you specified a Q-in-Q tag in step 8, you need to enable Q-in-Q technology on the switch port and configure the network interface of the private network you specified in step 10. For more details, see the Configure Q-in-Q section of the Q-in-Q manual.

4. Connect a network and subnet to the router leading to the CDC

1. In the control panel, in the top menu, click Products and select Global Router.

2. In the Selectel Global Router section, open the router page → Networks tab.

3. Click Create network.

4. Enter a network name. It will only be used in the control panel.

5. Select the Servers and Hardware service.

6. Select a pool.

7. Select a VLAN.

8. If you want to create a network to an internal VLAN segment (Q-in-Q), specify its tag — a number from 2 to 4094.

9. Enter a subnet name. It will only be used in the control panel.

10. Enter a CIDR — the IP address and mask of the private subnet. The subnet must comply with the following conditions:

    • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
    • have a size of at least /29, since three addresses will be occupied by Selectel network equipment;
    • not overlap with other subnets added to this router — the subnets of one router must not have identical IP addresses;
    • if a Managed Kubernetes cluster on cloud servers is included in the global router network, the subnet must not overlap with the 10.10.0.0/16, 10.96.0.0/12, 10.250.0.0/16 and 10.251.0.0/24. If a cluster on dedicated servers is included in the network — with the 10.10.0.0/16, 10.222.0.0/16, 10.250.0.0/16, 10.251.0.0/24 and 172.250.0.0/14. These subnets are used for internal Managed Kubernetes addressing, and their use may cause conflicts in the global router network.

11. Enter the gateway IP or leave the first address from the subnet, which is assigned by default. Do not assign this address to your devices to avoid disrupting network operation.

12. Enter service IPs or leave the last addresses from the subnet, which are assigned by default. Do not assign these addresses to your devices to avoid disrupting network operation.

13. Click Create network.

14. Optional: check the network topology on the global router. In the control panel, in the top menu, click Products → Global Router → router page → Network Map.

15. If you specified a Q-in-Q tag in step 8, make sure that you have configured Q-in-Q. When configuring, use the subnet you specified in step 10.

5. Configure the firewall in the CDC

FortiGate

1. Connect to FortiGate via the graphical interface.

2. Create and configure a private interface with the assigned subnet:

   2.1. Go to the Network → Interfaces.

   2.2. Click Create New → Interface.

   2.3. In the Address field, enter an IP address from the private subnet that you connected to the global router for the CDC, for example 192.168.100.2/28.

3. Add a static route to the subnet that you connected to the global router for the dedicated server VLAN outside the CDC:

   3.1. Go to the Network → Static Routes.

   3.2. Click Create New → IPv4 Static Route.

   3.3. In the Destination field, enter the destination subnet — the subnet you connected to the global router for the dedicated server VLAN outside the CDC.

   3.4. In the Gateway Address field, enter the gateway — the IP address you assigned to the global router when connecting the network to the CDC in step 11.

   3.5. In the Interface field, specify the local interface you created in step 2.

4. Configure a security policy that will allow traffic from the dedicated server outside the CDC to the dedicated server in the CDC:

   4.1. Go to the Policy & Objects → Firewall Policy.

   4.2. Click Create New.

   4.3. Enter a policy name.

   4.4. In the Incoming Interface field, select the interface for which you configured the IP address in step 2.

   4.5. In the Outgoing Interface field, select the interface to which the dedicated server in the CDC is connected.

   4.6. In the Source field, enter another IP address from the same private subnet that you configured on the firewall in step 2. This address will be used on the dedicated server outside the CDC.

   4.7. In the Destination field, enter the IP address of the dedicated server in the CDC.

   4.8. Click Save.

5. Configure a security policy that will allow traffic from the dedicated server in the CDC to the dedicated server outside the CDC:

   5.1. Go to the Policy & Objects → Firewall Policy.

   5.2. Click Create New.

   5.3. Enter a policy name.

   5.4. In the Incoming Interface field, select the interface to which the dedicated server in the CDC is connected.

   5.5. In the Outgoing Interface field, select the interface for which you configured the IP address in step 2.

   5.6. In the Source field, enter the IP address of the dedicated server in the CDC.

   5.7. In the Destination field, enter the IP address that will be used on the dedicated server outside the CDC.

   5.8. Click Save.

6. Configure the dedicated server outside the CDC

1. Assign an IP address from the subnet you connected to the global router for the dedicated server VLAN outside the CDC to the private network interface. Use the Configure a private network interface subsection of the Configuring a network interface on a server article.

2. Add a static route on the network interface you configured in step 1. In the route, specify:

   • destination subnet — the subnet you connected to the global router for the CDC;
   • gateway — the IP address on the global router from the subnet you connected to the global router for the server outside the CDC.