General information about cloud platform networks
The cloud platform networks are powered by OpenStack Neutron. For more information, see the Neutron section of the OpenStack documentation.
You can work with cloud platform networks in the control panel, using the OpenStack CLI or Terraform.
In cloud platform networks, user types and roles are supported.
You can track metrics across cloud platform networks using the Metrics service.
Records of cloud platform network operations are stored in audit logs.
Tasks to be solved
In a cloud platform with the help of network resources, you can:
- configure connectivity between devices in the same pool and aggregate devices into private subnets using ports: cloud servers, load balancers, file storage, Managed Kubernetes clusters and cloud database clusters;
- Route traffic between private subnets and configure Internet access for devices on a private subnet using cloud routers;
- Connect static public IP addresses to devices on private subnets to configure access to them from the Internet;
- Connect devices to public subnets for access to and from the Internet. Cloud servers, load balancers, and cloud database clusters can be ported to public subnets;
- Distribute incoming network traffic between cloud servers using load balancers;
- To organize network connectivity between devices in different pools (including different projects and accounts) or between different services, private subnets can be connected to a global router;
- configure static routes for subnets.
To limit traffic, you can use:
- cloud firewalls - Cloud firewalls are assigned to a cloud router port and allow you to filter traffic for private subnets and public IP addresses;
- security groups - are assigned to a cloud server port, allow you to filter all port traffic;
- allowed IP/MAC addresses - are configured on a cloud server port, allow outgoing port traffic only from specific IP/MAC address pairs.
To use security groups and authorized IP/MAC addresses , port security must be enabled on the network.
Examples of networks
Internet access
Cloud servers can be connected to a private network without Internet access and can be configured to access the Internet via routers and public IP addresses.
Private network and bastion host
A Bastion host is a host on a network that is a gateway or proxy for all other servers. This host is accessible by a public IP address and communicates with other servers over a private network.
Public subnet
All servers on the public subnet have access to the Internet. Servers communicate with each other through public interfaces.
Load balancer and bastion host
A load balancer can be added to the bastion host scheme. The bastion host is used for private network access and infrastructure management, while the load balancer performs proxying of requests.
Throughput
Cloud platform network objects have outbound and inbound bandwidth restrictions.
St. Petersburg
Moscow
Novosibirsk
Tashkent
Almaty
Nairobi
* Actual throughput depends on device configuration and network conditions.
* Actual throughput depends on device configuration and network conditions.
* Actual throughput depends on device configuration and network conditions.
* Actual throughput depends on device configuration and network conditions.
* Actual throughput depends on device configuration and network conditions.
* Actual throughput depends on device configuration and network conditions.
For a list of regions, availability zones and pools, see the Selectel Infrastructure table.
Bandwidth for devices on private networks can be upgraded to 10Gbps - create a ticket or create a flavor in the 10G Net lineup .
The speed on a port may drop significantly, for example to 0.1 Gbps, if the associated IP address is blocked by Selectel security. To increase the speed, create a ticket.
Traffic filtering (port security)
Traffic filtering (port security) is a network function to protect against unauthorized access and attacks. Filtering allows you to:
- Use security groups on cloud server ports;
- add authorized IP\MAC addresses for outgoing traffic from cloud server ports;
- Restrict access to the load balancer.
You can view the filtering status of the network in the Control Panel: from the top menu, click Products → Cloud Servers → Network → Private Networks or Public Networks tab . A network with filtering enabled is marked with a .
Traffic filtering is enabled by default on all new private networks and public subnets and cannot be turned off. If filtering is enabled on a network, it is enabled for each new port on that network:
- is assigned to the default security group that allows all traffic through the port. You can assign a different security group;
- A single allowed IP/MAC address pair is assigned for outgoing port traffic. This blocks MAC/IP spoofing, overlay networks, VPNs, and VRRP. If you are using solutions based on these, you must add allowed IP/MAC addresses on the port that can be used to send traffic.
Filtering is turned off on private networks and public subnets that have been created:
- in the ru-1 pool until June 2, 2025;
- in the ru-2 pool until June 3, 2025;
- in the ru-3 pool until June 4, 2025;
- in the ru-7 pool until June 5, 2025;
- in the ru-8 pool until May 15, 2025;
- in the ru-9 pool until May 26, 2025;
- in the gis-1 pool through May 29, 2025;
- in the kz-1 pool until May 28, 2025;
- in the uz-1 pool through May 27, 2025;
- in the uz-2 pool until May 22, 2025;
- in the ke-1 pool until May 26, 2025.
You cannot enable filtering on these networks. If you need to use security groups, add allowed IP\MAC addresses, or restrict access to a load balancer, create a new private network or public subnet and configure addresses from it on your devices.
Blocked ports
Selectel has some TCP/UDP ports blocked by default, traffic through them is blocked.
Cost
Public IP addresses and public subnets are paid for using the cloud platform payment model.
The cost can be viewed at selectel.ru.
The rest of the network resources are free of charge.