General information about cloud platform networks
Cloud platform networks operate on the basis of OpenStack Neutron. Learn more in the Neutron section of the OpenStack documentation.
You can work with cloud platform networks in the control panel, using OpenStack CLI or Terraform.
Cloud platform networks support user types and roles.
You can monitor metrics for cloud platform networks using the Metrics service.
Records of cloud platform network operations are saved in audit logs.
Tasks
In the cloud platform, you can use network resources to:
- configure connectivity between devices in the same pool and aggregate into private subnets using ports for devices: cloud servers, load balancers, file storage, Managed Kubernetes clusters, and Managed Database clusters;
- route traffic between private subnets and configure internet access for devices in a private subnet using cloud routers;
- connect static public IP addresses to devices in private subnets to configure internet access to them;
- connect devices to public subnets for internet access to and from your environment. Cloud servers, load balancers, and Managed Database clusters can be connected to public subnets using ports;
- distribute incoming network traffic among cloud servers using load balancers;
- to organize network connectivity between devices in different pools (including different projects and accounts) or between different services, private subnets can be connected to a global router;
- configure static routes for subnets.
To limit traffic, you can use:
- Cloud firewalls — assigned to a cloud router port, they filter traffic for private subnets and public IP addresses;
- Security groups — assigned to a cloud server port, they filter all traffic for that port;
- Allowed IP/MAC addresses — configured on a cloud server port, they allow outbound traffic from the port only for specific pairs of IP/MAC addresses.
To use security groups and allowed IP/MAC addresses, traffic filtering (port security) must be enabled in the network.
Network examples
Internet access
Cloud servers can be connected to a private network without internet access, and you can configure various options for internet access via routers and public IP addresses.
Private network and bastion host
A bastion host is a host in the network that acts as a gateway or proxy for all other servers. Such a host is accessible via a public IP address and communicates with other servers over a private network.
Public subnet
All servers in a public subnet have internet access. Servers communicate with each other through public interfaces.
Load balancer and bastion host
You can add a load balancer to the bastion host setup. The bastion host is used for accessing the private network and managing infrastructure, while the load balancer handles request proxying.
Bandwidth
Network objects in the cloud platform have limits on outbound and inbound traffic bandwidth.
St. Petersburg
Moscow
Novosibirsk
Tashkent
Almaty
Nairobi
* Actual bandwidth depends on device configuration and network conditions.
A list of regions, availability zones, and pools can be viewed in the Selectel Infrastructure table.
Bandwidth for devices in private networks can be increased up to 10 Gbps — create a ticket or create a flavor in the 10G Net line.
Speed on a port may decrease significantly, for example to 0.1 Gbps, if the associated IP address is blocked by Selectel security systems. To increase the speed, create a ticket.
Traffic filtering (port security)
Traffic filtering (port security) is a network feature for protection against unauthorized access and attacks. Filtering allows you to:
- use security groups on cloud server ports;
- add allowed IP/MAC addresses for outbound traffic from cloud server ports;
- limit access to a load balancer.
The filtering status in a network can be viewed in the control panel: from the top menu, click Products → Cloud Servers → Network → Private networks or Public networks tab. A network with filtering enabled is marked with .
Traffic filtering is enabled by default in all new private networks and public subnets and cannot be disabled. If filtering is enabled in a network, then for every new port in that network:
- a default security group is assigned, which allows all traffic through the port. You can assign a different security group;
- one allowed IP/MAC address pair is fixed for the port's outbound traffic. This blocks MAC/IP spoofing and the operation of overlay networks, VPNs, and VRRP. If you use solutions based on these, you need to add allowed IP/MAC addresses that can be used to send traffic.
Filtering is disabled in private networks and public subnets that were created:
- in the ru-1 pool before June 2, 2025;
- in the ru-2 pool before June 3, 2025;
- in the ru-3 pool before June 4, 2025;
- in the ru-7 pool before June 5, 2025;
- in the ru-8 pool before May 15, 2025;
- in the ru-9 pool before May 26, 2025;
- in the gis-1 pool before May 29, 2025;
- in the kz-1 pool before May 28, 2025;
- in the uz-1 pool before May 27, 2025;
- in the uz-2 pool before May 22, 2025;
- in the ke-1 pool before May 26, 2025.
In these networks, filtering cannot be enabled. If you need to use security groups, add allowed IP/MAC addresses, or limit access to a load balancer, create a new private network or public subnet and configure addresses from it on your devices.
Blocked ports
In Selectel, some TCP/UDP ports are blocked by default; traffic through them is blocked.
Cost
Public IP addresses and public subnets are paid for using the cloud platform payment model.
Costs can be viewed on selectel.ru.
Other network resources are provided free of charge.