Skip to main content

General information about cloud platform networks

Last update:

Cloud platform networks operate on the basis of OpenStack Neutron. Learn more in the Neutron section of the OpenStack documentation.

You can work with cloud platform networks in the control panel, using OpenStack CLI or Terraform.

Cloud platform networks support user types and roles.

You can monitor metrics for cloud platform networks using the Metrics service.

Records of cloud platform network operations are saved in audit logs.

Tasks

In the cloud platform, you can use network resources to:

  • configure connectivity between devices in the same pool and aggregate into private subnets using ports for devices: cloud servers, load balancers, file storage, Managed Kubernetes clusters, and Managed Database clusters;
  • route traffic between private subnets and configure internet access for devices in a private subnet using cloud routers;
  • connect public floating IP addresses to devices in private subnets to set up access to them from the Internet;
  • connect direct public IP addresses to cloud servers for access to and from the Internet;
  • connect devices to public subnets for access to and from the Internet. You can connect cloud servers, load balancers, and Managed Database clusters to public subnets using ports;
  • distribute incoming network traffic between cloud servers using load balancers;
  • to organize network connectivity between devices in different pools (including different projects and accounts) or between different services, private subnets can be connected to a global router;
  • configure static routes for subnets.

To restrict traffic, you can use:

  • cloud firewalls — assigned to a cloud router port, they allow filtering traffic for private subnets and public IP addresses;
  • security groups — assigned to a cloud server port, they allow filtering all port traffic;
  • allowed IP/MAC addresses — configured on a cloud server port, except for ports with a direct public IP address, they allow outgoing port traffic only from specific IP/MAC address pairs.

To use security groups and allowed IP/MAC addresses, traffic filtering (port security) must be enabled in the network.

Network examples

Internet access

Cloud servers can be connected to a private network without internet access, and various internet access options can be configured using routers and public IP addresses.

Private network and bastion host

A bastion host is a host in a network that acts as a gateway or proxy for all other servers. This host is available via a public IP address and communicates with other servers over a private network.

Public subnet

All servers in a public subnet have internet access. Servers communicate with each other via public interfaces.

Load balancer and bastion host

You can add a load balancer to a schema with a bastion host. The bastion host is used to access the private network and manage infrastructure, and the load balancer proxies requests.

Bandwidth

Cloud platform network objects have limits on outgoing and incoming traffic bandwidth.

Outgoing trafficPrivate network and bastion host
Private network traffic
Public subnet3 Gbps — in all pools except ru-1

1 Gbps — in the ru-1 pool

10 Gbps — for the 10G Net line
Unlimited *
Internet traffic
St. Petersburg3 Gbps — in all pools except ru-1

1 Gbps — in the ru-1 pool

10 Gbps — for the 10G Net line
Unlimited *
Cloud server port with a direct public IP address3 Gbps — in all pools except ru-1

1 Gbps — in the ru-1 pool

10 Gbps — for the 10G Net line
Unlimited *
Cloud server port in a public subnet3 Gbps — in all pools except ru-1

1 Gbps — in the ru-1 pool
5 Gbps
Cloud server port in a private subnet without a public floating IP address (traffic via the cloud router external IP address)3 Gbps
Cloud router, total bandwidth for all devices without a public floating IP address behind one router5 Gbps5 Gbps

* Actual bandwidth depends on device configuration and network conditions.

The list of regions, availability zones, and pools can be viewed in the Selectel Infrastructure table.

Bandwidth for devices in private networks can be increased to 10 Gbps — create a ticket or create a flavor in the 10G Net.

The port speed may significantly decrease, for example to 0.1 Gbps, if the associated IP address is blocked by the Selectel security system. To increase the speed, create a ticket.

Traffic filtering (port security)

Traffic filtering (port security) is a network feature for protection against unauthorized access and attacks. Filtering allows you to:

Network filtering status can be viewed in the Control Panel: from the top menu, click ProductsCloud ServersNetworkPrivate Networks or Public Networks tab. A network with filtering enabled is marked with .

Traffic filtering is enabled by default in all new private networks and public subnets and cannot be disabled. If filtering is enabled in a network, then for each new port in this network:

  • a default security group is assigned, which allows all traffic through the port. You can assign another security group;
  • one authorized IP/MAC address pair is locked for the port's outgoing traffic. This blocks MAC/IP spoofing and prevents overlay networks, VPNs, and VRRP from working. If you are using solutions based on these, you must add allowed IP/MAC addresses that can be used to send traffic to the port.

Filtering is disabled in private networks and public subnets that were created:

  • in the ru-1 pool before June 2, 2025;
  • in the ru-2 pool before June 3, 2025;
  • in the ru-3 pool before June 4, 2025;
  • in the ru-7 pool before June 5, 2025;
  • in the ru-8 pool before May 15, 2025;
  • in the ru-9 pool before May 26, 2025;
  • in the gis-1 pool before May 29, 2025;
  • in the kz-1 pool before May 28, 2025;
  • in the uz-1 pool before May 27, 2025;
  • in the uz-2 pool before May 22, 2025;
  • in the ke-1 pool before May 26, 2025.

Filtering cannot be enabled in these networks. If you need to use security groups, add allowed IP/MAC addresses, or restrict access to a load balancer, create a new private network or public subnet and configure addresses from it on your devices.

Blocked ports

In Selectel, some TCP/UDP ports are blocked by default, and traffic through them is blocked.

Cost

Public IP addresses and public subnets are paid for using the cloud platform payment model.

Prices can be viewed on selectel.ru.

Other network resources are provided free of charge.