Private subnets and networks

Last update: July 10 2025

Private networks are L2 segments of the network. At least one private subnet must be created in each private network. Private subnets are ranges of private IP addresses at the L3 level, limited by the CIDR size. If devices are in different private subnets of the same private network, they can communicate directly.

Within different private networks, there can be subnets with the same prefixes (masks), but within the same network, the subnet prefixes must be different. By default, private networks and subnets do not have access to and from the Internet and cannot use public addressing.

To enable private subnets from different networks to communicate, you must connect them to the same cloud router. To organize L3 network connectivity between devices in different pools (including different projects and accounts) or between different services, you must connect private subnets to a global router. The addresses of subnets connected to the same router (cloud or global) must not overlap.

By default, private networks and the subnets belonging to them can only be used within one project and one pool. You can configure private network sharing in different projects within the same account.

Within private subnets there are limits on the amount of traffic — bandwidth. You can see it in the Bandwidth table. The default MTU is 1,500 B, you can change the MTU in the private network.

You can work with private subnets and networks in the control panel, using the OpenStack CLI or Terraform.

Automatic private subnet settings⁠

Private subnets specify default settings: default gateway and DNS servers. If you add a device to an existing subnet, the settings are automatically applied to the device. If you change the settings of a subnet that already has devices, you must update the network settings on all devices in the subnet to apply the settings.

Default gateway⁠

When creating a private subnet, the first available IP address is reserved for the default gateway. For example, for a subnet with CIDR 192.168.0.0/24, 192.168.0.1 will be reserved as the gateway . The default gateway can be changed when creating a subnet or changed after creation.

DNS servers⁠

When you create a private subnet, Selectel DNS servers are automatically assigned to the devices in the subnet. DNS servers can be changed when creating a subnet or  can be changed after the subnet is created.

Static routes⁠

By default, subnets do not have static routes specified. Static routes can be configured for private subnets.

Create a private network⁠

Control panel

1. In the Dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Click Create Network.
4. Select the pool where the private network will be created.
5. Enter the name of the network.
6. Optional: enter a comment for the network.
7. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
8. Optional: To change the IP address of the default gateway, click . Enter a value. Click .
9. Optional: To change the DNS servers, click . Enter one to three values. Click .
10. Optional: To enable DHCP, check the Enable DHCP checkbox.
11. Optional: To add another subnet, click Add Subnet and repeat steps 7-10.
12. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a private network:

   openstack network create <network_name>

   Specify <network_name> is the name of the private network.

3. Add the subnet to the private network.

Add a subnet to a private network⁠

Control panel

1. In the Dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Open the Network page → Subnets tab.
4. Click Create Subnet.
5. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
6. Optional: Change the IP address of the default gateway.
7. Optional: Change the DNS servers. Enter one to three values.
8. Optional: To enable DHCP, check the Enable DHCP checkbox.
9. Click .

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a subnet on the private network:

   openstack subnet create \
     --subnet-range <cidr> \
     [--dhcp  | --no-dhcp] \
     --gateway <gateway> \
     --network <network> \
     <subnet_name>

   Specify:

   • <cidr> — CIDR of a private subnet, e.g. 192.168.0.0/24;
   • DHCP option:
     • --dhcp — enable DHCP;
     • --no-dhcp — disable DHCP;
   • <gateway> — IP address default gateway for example 192.168.0.2;
   • <network> — The ID or name of the private network can be viewed with the command openstack network list;
   • <subnet_name> — name of the private subnet.

Configure private network access in different projects⁠

By default, a private network can only be shared within one project and one pool. You can configure the private network to be shared between different projects within the same account. The network will also be available only within one pool.

A private network will have the CrossProject tag. The network can only be managed in the project in which the subnet is located.

If you need to combine private networks from different pools (including those in different projects and accounts), connect the private network to a global router.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Copy the ID of the destination project with which you want to share the network. To do this, open the projects menu (name of the current project) and in the project line click .
4. Make sure you are in the project where the network is located.
5. Open the Network page → Projects tab.
6. Click Add Project.
7. Paste the destination project ID you copied in step 3.
8. Click .

Enable DHCP on a private subnet⁠

The DHCP protocol can be used to automatically configure the network on devices. It allows you to automatically obtain IP addresses, subnet mask, default gateway, DNS server addresses, and static routes for devices on a private subnet. Devices in a DHCP enabled subnet will automatically request settings from the DHCP server: when the network interface is turned on or when the address lease expires (default is 24 hours).

When DHCP is enabled, two ports for DHCP servers will be created in the subnet: one for the primary and one for the backup. The first two free IP addresses in the subnet will be reserved for the ports. For example, for a subnet with CIDR 192.168.0.0/24 192.168.0.2 and 192.168.0.3 will be reserved

DHCP on a private subnet can be enabled when you create a private network, add a subnet to a network, or for an existing private subnet.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Open the Private Network page → Subnets tab.
4. In the subnet card, open the Automatic Network Settings block.
5. Turn on the DHCP server toggle switch.

OpenStack CLI

1. Open the OpenStack CLI.

2. Enable DHCP on the private subnet:

   openstack subnet set --dhcp <subnet>

   Specify <subnet> — The ID or name of the private subnet, can be viewed with the openstack subnet list command.

Disable DHCP on a private subnet⁠

Disabling DHCP on a private subnet frees up two IP addresses that have been reserved for DHCP servers.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Open the Private Network page → Subnets tab.
4. In the subnet card, open the Automatic Network Settings block.
5. Turn off the DHCP server toggle switch.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disable DHCP on the private subnet:

   openstack subnet set --no-dhcp <subnet>

   Specify <subnet> — The ID or name of the private subnet, can be viewed with the openstack subnet list command.

Change the default gateway on the private subnet⁠

When creating a private subnet, the first available IP address is reserved for the default gateway. For example, 192``.168.0.0/24 will be reserved for a subnet with CIDR 192.168.0.0/24.

The default gateway can be changed when creating a private network, adding a subnet to a network, or for an existing private subnet.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Open the Private Network page → Subnets tab.
4. In the subnet card, open the Automatic Network Settings block.
5. In the Subnet Gateway field, click .
6. Enter a new value for the default gateway IP address.
7. Click .
8. Apply the changes. To do this, update the network settings on the devices in the subnet.

OpenStack CLI

1. Open the OpenStack CLI.

2. Delete the existing pool of dedicated IP addresses on the private subnet and add a new pool without the default gateway IP address:

   openstack subnet set \
     --no-allocation-pool \
     --allocation-pool start=<first_pool_ip_address>,end=<last_pool_ip_address> \
     <subnet>

   Specify:

   • <first_pool_ip_address> — the first IP address of the new pool;
   • <last_pool_ip_address> — the last IP address of the new pool. Multiple pools can be added — each pool is added using the option --allocation-pool start=<first_pool_ip_address>, end=<last_pool_ip_address>;
   • <subnet> — The ID or name of a private subnet can be viewed with the command openstack subnet list.

3. Specify a new IP address for the default gateway:

   openstack subnet set --gateway <gateway> <subnet>

   Specify < gateway > — the IP address of the default gateway, for example 192.168.0.5.

   Example of changing the gateway IP address to 192.168.0.5:

   openstack subnet set \
     --no-allocation-pool \
     --allocation-pool start=192.168.0.1,end=192.168.0.4 \
     --allocation-pool start=192.168.0.6,end=192.168.0.254 \
     --gateway 192.168.0.5 \
     1c6e70ea-db7e-4d2f-bf76-4cab8f0cf52a

4. Apply the changes. To do this, update the network settings on the devices in the subnet.

Change DNS servers on a private subnet⁠

When you create a private subnet, Selectel recursive DNS servers are automatically assigned to the devices on the subnet. DNS servers can be changed when creating a private subnet and adding a subnet to the network or for an existing private subnet.

To change the DNS servers on the global router subnet , create a ticket.

Control panel

1. In the Dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Open the Private Network page → Subnets tab.
4. In the subnet card, open the Automatic Network Settings block.
5. In the DNS Server Addresses field, click .
6. Enter one to three values.
7. Click .
8. Apply the changes. To do this, update the network settings on the devices in the subnet.

OpenStack CLI

1. Open the OpenStack CLI.

2. If you need to completely replace the list of DNS servers, delete the IP addresses of the specified DNS servers and add new ones:

   openstack subnet set \
     --no-dns-nameservers \
     --dns-nameserver <dns_server> \
     <subnet>

   Specify:

   • <dns_server> — IP address of the DNS server. It is possible to add several DNS servers — each is added using the option --dns-nameserver <dns_server>;
   • <subnet> — The ID or name of a private subnet can be viewed with the command openstack subnet list.

   Example of changing the default DNS servers to 192.0.2.3 and 192.0.2.4:

   openstack subnet set \
     --no-dns-nameservers \
     --dns-nameserver 192.0.2.3 \
     --dns-nameserver 192.0.2.4 \
     <subnet>

3. If you need to complete the list of DNS servers, add the IP addresses of the new DNS servers:

   openstack subnet set \
     --dns-nameserver <dns_server> \
     <subnet>

   Specify:

   • <dns_server> — IP address of the DNS server. It is possible to add several DNS servers — each is added using the option --dns-nameserver <dns_server>;
   • <subnet> — The ID or name of a private subnet can be viewed with the command openstack subnet list.

4. Apply the changes. To do this, update the network settings on the devices in the subnet.

Connect a subnet to the cloud router⁠

In order for private subnets from different networks to communicate with each other, they must be connected to the same cloud router. The subnets must have different CIDRs.

To configure access to and from the Internet for devices on private subnets using a cloud router, use the instructions to Configure Access to and from the Internet.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.

2. Go to Network → Private Networks tab.

3. Open the Network page → Subnets tab.

4. In the subnet card, in the Cloud Router field, click Connect. If the subnet is already connected to a cloud router, you can connect it to another cloud router through the router card.

5. Select a cloud router — existing or new.

6. Optional: If the router will be used to access the Internet, check the Connect to external network checkbox. If the router is already connected to an external network, the checkbox is not displayed.

7. If you chose to create a new router, configure it:

   7.1 Enter the name of the router.

   7.2 Enter the IP address of the router. The IP address of the cloud router must match the default gateway of the private subnet. You can view the gateway in the control panel: in the top menu, click Products → Cloud Servers → Network → Private Networks tab → Network page → Subnets tab → Subnet card → Automatic Network Settings block → Subnet Gateway field.

   If you are connecting a global router subnet, the IP address of the cloud router must match the default gateway of the global router subnet and must be different from the global router IP address, the IP addresses of the devices on the network, and the .253 and .254 service addresses.

8. Click Connect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the subnet to the cloud router:

   openstack router add subnet <router> <subnet>

   Specify:

   • <router> — The ID or name of the cloud router can be viewed with the command openstack router list;
   • <subnet> — The ID or name of a private subnet can be viewed with the command openstack subnet list.

Disconnect the subnet from the cloud router⁠

Control panel

1. In the Dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private Networks tab.
3. Open the Private Network page → Ports tab. Ports that are used by cloud routers are marked with the Router tag.
4. In the port bar of the cloud router to which the subnet is connected, click .
5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the subnet from the cloud router:

   openstack router remove subnet <router> <subnet>

   Specify:

   • <router> — The ID or name of the cloud router can be viewed with the command openstack router list;
   • <subnet> — The ID or subnet name can be viewed with the command openstack subnet list

Connect a private network to a global router⁠

When you connect a private network to a global router, all subnets belonging to that network will be connected to the router. All subnets will communicate on the L3 layer.

The private network will have a Global Router tag. You can manage the Global Router network and subnets only in the Global Router section of the Control Panel: from the top menu, click Products → Global Router.

The Global Router subnet will automatically create three service ports for network equipment.

Control panel

1. Verify that the subnets on the private network are appropriate:

   • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16;;
   • have a size of at least /29, as three addresses will be occupied by Selectel network equipment;
   • do not overlap with other networks and subnets that are connected to this global router (IP addresses in the subnets must not overlap);
   • If the global router network will include a Managed Kubernetes cluster on cloud servers, the subnet must not overlap with the ranges 10.10.0.0/16, 10.96.0.0/12, 10.250.0.0/16 and 10.251.0.0/24. If the network will include a cluster on dedicated servers — with the ranges 10.10.0.0/16, 10.222.0.0/16, 10.250.0.0/16, 10.251.0.0/24 and 172.250.0.0/14. These subnets participate in the internal addressing of Managed Kubernetes, their use may cause conflicts in the global router network.

2. In the control panel, on the top menu, click Products → Cloud Servers.

3. Go to Network → Private Networks tab.

4. From the menu of the network, select Connect to Global Router.

5. Select an existing global router or create a new one.

6. For each subnet, enter the gateway IP address that will be assigned to the global router. Do not assign this address to devices to avoid disrupting the network.

7. Optional: Change the service IP addresses that are assigned automatically to reserve the global router.

8. Click Connect. Do not close the window until the network is connected.

Disconnect the private network from the global router⁠

Control panel

1. In the control panel, on the top menu, click Products → Cloud Servers.
2. Go to Network → Private Networks tab.
3. From the menu of the network, select Disconnect from Global Router.
4. Enter the name of the network to confirm disconnection.
5. Click Disconnect. Do not close the window until the network is disconnected.

Change the MTU on a private network⁠

When you create a private network it is set to the default MTU of 1,500 B, you can change the MTU.

The cloud router If you set the MTU on a network to more than 1,500B, you will need to reduce the packet size to 1,500B when sending traffic from that network to the cloud router. For example, you can use PMTUD to do this.The restriction does not apply to TCP sending.

Global router accepts packets up to 8,500 B in size.

OpenStack CLI

1. Open the OpenStack CLI.

2. Specify a new MTU value on the network:

   openstack network set \
     --mtu <mtu> \
     <network>

   Specify:

   • <mtu> — new MTU value in B, the maximum value is 8500;
   • <network> — The ID or name of a private network can be viewed with the command openstack network list.

3. Apply the changes. To do this, update the network settings on the devices in the network. You can view the list of devices on the network in the control panel: from the top menu, click Products → Cloud Servers → Network → Private Networks tab → Private Networks page → Ports tab.

Delete a private network or subnet⁠

Devices that prohibit deletion of a network or subnetwork⁠

A private network or private subnet cannot be deleted if the network is connected to a global router, DHCP is enabled on the subnet, or there are devices that prohibit deletion:

• A cloud router that receives traffic for the public IP address of one of the devices on the network;
• A cloud router that uses a subnet port in static routes;
• database cluster;
• Cluster Managed Kubernetes;
• file storage;
• Cloud load balancer.

When removing a subnet or network through the control panel, you must remove these devices, disconnect the subnet from the global router, and disable DHCP. If you delete using the OpenStack CLI, you must delete all ports on the network or subnet.

Delete private subnet⁠

When deleting a private subnet, you must delete all ports in it.

Control panel

1. In the Dashboard, on the top menu, click Products and select Cloud Servers.

2. Go to Network → Private Networks tab.

3. If the private network card has the Global Router tag, disconnect it from the global router:

   3.1. From the menu of the network, select Disconnect from Global Router.

   3.2 Enter the network name to confirm disconnection.

   3.3 Click Disconnect. Do not close the window until the network is disconnected.

4. If DHCP is enabled on the subnet, turn it off:

   4.1 Open the Private Network page → Subnets tab.

   4.2 In the subnet card, open the Automatic Network Settings block.

   4.3 Turn off the DHCP server toggle switch.

5. Open the Private Network page → Ports tab.

6. Delete all ports in the subnet. To do this, in the row of each port, click .

7. If the button is inactive in the port card, a device that prohibits removal is connected to the port . Remove this device and return to step 1.

   Use the instructions to remove the device:

   • remove the cloud router;
   • remove the Managed Kubernetes cluster;
   • delete file storage;
   • remove the load balancer.

8. Open the Subnets tab.

9. In the subnet card, click .

10. Click Delete.

11. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. Remove all ports on the private subnet:

   openstack port delete <port>

   Specify <port> — The port ID or name can be viewed using the openstack port list command.

3. Delete the private subnet:

   openstack subnet delete <subnet>

   Specify <subnet> — The ID or name of the private subnet, can be viewed with the openstack subnet list command.

Delete private network⁠

The subnets created in the network will be deleted along with the network.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.

2. Go to Network → Private Networks tab.

3. If the network card has the Global Router tag, disconnect it from the global router:

   3.1. From the menu of the network, select Disconnect from Global Router.

   3.2 Enter the network name to confirm the disconnection.

   3.3 Click Disconnect. Do not close the window until the network is disconnected.

4. If DHCP is enabled on network subnets, turn it off:

   4.1 Open the Network page → Subnets tab.

   4.2 In the subnet card, open the Automatic Network Settings block.

   4.3 Turn off the DHCP server toggle switch.

   4.4 If the network has multiple subnets, repeat steps 4.1-4.3 for each subnet.

5. Make sure there are no devices on the network that prohibit network deletion:

   5.1. Open the Network page → Ports tab.

   5.2 If the button is inactive in the port card, a device that prohibits network removal is connected to the port. Remove this device and return to step 1.

   Use the instructions to remove the device:

   • remove the cloud router;
   • remove the Managed Kubernetes cluster;
   • delete file storage;
   • remove the load balancer.

6. From the top menu, click Products and select Cloud Servers.

7. Go to Network → Private Networks tab.

8. From the menu of the network, select Delete Network.

OpenStack CLI

1. Open the OpenStack CLI.

2. Remove all ports on subnets belonging to the network:

   openstack port delete <port>

   Specify <port> — The port ID or name can be viewed using the openstack port list command.

3. Delete the private network:

   openstack network delete <network>

   Specify <network> — The ID or name of the private network can be viewed using the openstack network list command.