Cloud routers

Last update: June 04 2026

With a cloud router, you can:

• route traffic between private subnets. All private subnets connected to the same router can communicate with each other and use the router's IP address as the default route;
• configure internet access for devices in a private subnet (outgoing traffic) and from the internet (incoming traffic), for more details, see the [Configure Internet Access] Configure access to the internet and from the internet guide. The cloud router performs 1:1 NAT via an external IP address, which is allocated when the router is connected to the internet: it organizes internet access from the private subnet and handles incoming traffic packets for public IP addresses.

On a cloud router, you can configure static routes.

A cloud router can only be used within one project and one pool.

Cloud routers have traffic volume limits, i.e., bandwidth. You can view it in the Bandwidth table.

You can work with cloud routers in the Control panel, using OpenStack CLI or Terraform.

Create a cloud router

When creating a router in the multi-availability zone pool ru-6, you can select an availability zone where the router will be created. You can only select an availability zone when creating a router via OpenStack CLI.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → Cloud Routers tab.
3. Click Create router.
4. Select a location where the cloud router will be created.
5. Enter the router name.
6. Optional: check the Connect router to internet box — an external IP address will be allocated for the router.
7. Click Create.

OpenStack CLI

1. Open OpenStack CLI.

2. Create a cloud router:

   openstack router create <router_name>

   Specify:

   • <router_name> — name of the cloud router;
   • optional: --availability-zone-hint <availability_zone> — if the router is created in the multi-availability zone pool ru-6, this allows you to select an availability zone where the router will be created. The <availability_zone> parameter is a pool segment, for example ru-6a.

3. Optional: connect the cloud router to the internet — an external IP address will be allocated for the router:

   openstack router set --external-gateway external-network <router>

   Specify <router> — the ID or name of the cloud router; you can view it using the openstack router list command.

Connect a subnet to a cloud router

To allow private subnets from different networks to communicate with each other, they must handle they be connected to the same cloud router. Subnets must not overlap — they must not contain identical IP addresses.

To configure internet access for devices in private subnets, see the Configure access to the internet and from the internet guide.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Cloud Routers tab.

3. Open the router page.

4. Click Connect subnet.

5. Select a private subnet or a global router subnet.

6. Optional: enter the router IP address—any available IP address from the subnet. If you do not specify an IP address, one will be automatically selected from the available addresses in the subnet.

   For devices in the subnet to access the internet without additional routes, the cloud router IP address must match the private subnet gateway. If the subnet gateway is already in use, you will need to configure a static route to the internet in the subnet via the cloud router.

   You can view the subnet gateway in the control panel: in the top menu, click Products → Cloud Servers → Network → tab Private networks → network page → tab Subnets → subnet card → block Automatic network settings → field Subnet gateway.

7. Click Connect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the subnet to the cloud router:

   openstack router add subnet <router> <subnet>

   Specify:

   • <router> — ID or name of the cloud router; you can view it with the command openstack router list;
   • <subnet> — ID or name of the private subnet; you can view it with the command openstack subnet list.

Disconnect a subnet from a cloud router

You cannot detach a subnet from a cloud router if:

• the router is processing traffic for public IP addresses of devices in this subnet;
• there are static routes on the router that specify IP addresses of this subnet as the next-hop.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → tab Cloud Routers.
3. Open the router page → Ports tab.
4. In the port line for the required subnet, click .
5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. Detach the subnet from the cloud router:

   openstack router remove subnet <router> <subnet>

   Specify:

   • <router> — ID or name of the cloud router; you can find it using the openstack router list;
   • <subnet> — ID or name of the subnet; you can find it using the openstack subnet list

Connect a cloud router to the internet

To configure internet access for devices in a private subnet, the subnet must be connected to a cloud router with internet access. To get internet access, the router connects to an external network (external-network), and an external IP address is allocated, which the router will use to perform 1:1 NAT.

You cannot access devices behind the router from the internet using the router's external IP address. It is only used for devices to access the internet through the router.

To configure access to devices from the internet, use a public IP address or a public subnet; for more details, see the Configure access to the internet and from the internet guide.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → Cloud Routers tab.
3. In the menu of the cloud router, select Connect to internet.

OpenStack CLI

1. Open OpenStack CLI.

2. Connect the cloud router to the internet:

   openstack router set --external-gateway external-network <router>

   Specify <router> — the ID or name of the cloud router; you can view it using the openstack router list command.

Disconnect a cloud router from the internet

If you disconnect a cloud router from the internet, its external IP address is returned to the IP pool. After reconnecting, the IP address will change.

A cloud router cannot be disconnected from the internet if it is processing traffic for public IP addresses.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → Cloud Routers tab.
3. In the menu of the cloud router, select Disconnect from internet.
4. Click Disable.

OpenStack CLI

1. Open OpenStack CLI.

2. Disconnect the cloud router from the internet:

   openstack router unset --external-gateway <router>

   Specify <router> — the ID or name of the cloud router; you can view it using the openstack router list command.

Assign a firewall to a cloud router port

warning

Incoming and outgoing traffic that is not permitted by cloud firewall rules will be denied at the cloud router port. Active sessions on the router that cannot be established under the new rules will be terminated.

You cannot assign more than one firewall to a single router port.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → Cloud Routers tab.
3. Open the cloud router page.
4. In the row of the private subnet port for which you want to configure traffic filtering, in the Firewall field, click .
5. Select a firewall.
6. Click Save.

OpenStack CLI

1. Open OpenStack CLI.

2. Assign a firewall to a cloud router port:

   openstack firewall group set --port <router_port> <firewall>

   Specify:

   • <router_port> — the ID or name of the router port to which the firewall will be assigned; you can view it using the openstack port list. To assign a firewall to several router ports, list their IDs or names separated by a space;
   • <firewall> — the ID or name of the firewall; you can view it using the openstack firewall group list command.

Disable firewall on a cloud router port

warning

Cloud firewall rules will stop applying — all incoming and outgoing traffic passing through the cloud router port will be permitted.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → Cloud Routers tab.
3. Open the router page.
4. In the row of the private subnet port for which traffic filtering was configured, in the Firewall field, click .
5. Select No firewall.
6. Click Save.

OpenStack CLI

1. Open OpenStack CLI.

2. Disable firewall on a router port:

   openstack firewall group unset --port <router_port> <firewall>

   Specify:

   • <router_port> — the ID or name of the router port from which the firewall will be disabled; you can view it using the openstack port list;
   • <firewall> — the ID or name of the firewall; you can view it using the openstack firewall group list command.

Enable a cloud router

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → Cloud Routers tab.
3. In the cloud router card, enable the router.

OpenStack CLI

1. Open OpenStack CLI.

2. Enable the cloud router:

   openstack router set --enable <router>

   Specify <router> — the ID or name of the router; you can view it using the openstack router list command.

Disable a cloud router

A router cannot be disabled if it is processing traffic for a public IP address.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network → Cloud Routers tab.
3. In the cloud router card, disable the router.

OpenStack CLI

1. Open OpenStack CLI.

2. Disable the cloud router:

   openstack router set --disable <router>

   Specify <router> — the ID or name of the cloud router; you can view it using the openstack router list command.

Delete a cloud router

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network → Cloud Routers tab.

3. Disconnect all connected subnets from the router; to do this, delete the ports of all subnets from the router:

   3.1. Open the router page → tab Ports.

   3.2. In the row of any port, click .

   3.3. Click Delete.

   3.4. Repeat steps 3.2–3.3 for all remaining ports.

4. In the menu of the router, select Delete router.

5. Click Delete.

OpenStack CLI

1. Open OpenStack CLI.

2. If subnets are connected to the router, delete the router ports:

   openstack router remove port <router> <port_id>

   Specify:

   • <router> — the ID or name of the cloud router; you can view it using the openstack router list;
   • <port_id> — the ID of the port connected to the router; you can view it using the openstack port list --router <router> command;.

3. Delete the router:

   openstack router delete <router>