Skip to main content

Manage cloud platform network access

Last update:

Cloud platform network access is governed by:

Access within the role model

Read more about access within the role model in the instruction Access management in Selectel products.

This instruction describes roles for accessing cloud platform network resources: private networks, subnets and ports, public subnets and ports, public IP addresses, and cloud routers. Access to load balancers, cloud firewalls and security groups is regulated separately.

member

User with full access to all services. Access management is not available for: users, service users, user groups, and federations.

Access scopes
  • Account
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of all cloud platform network resources and information about them in all projects;

  • managing private networks, subnets, and ports in all projects:

    • creating and deleting a network and subnet;
    • changing the name and tags of a network and subnet;
    • configuring network access in different projects;
    • changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP state);
    • connecting a subnet to a cloud router and disconnecting it;
    • connecting a network to a global router and disconnecting it;
    • creating a port in a network and deleting a port;
    • enabling and disabling a port in a network;
    • managing allowed addresses and security groups on a port in a network;

  • managing public subnets in all projects:

    • creating and deleting a subnet;
    • changing the name and tags of a subnet;
    • changing DNS servers;
    • configuring access to a subnet in different projects;
    • creating and deleting a port in a subnet;

  • managing public IP addresses in all projects:

    • creating and deleting an IP address;
    • connecting an IP address to a port in a private network;
    • switching between ports;
    • disconnecting from a port;

  • managing cloud routers in all projects:

    • creating and deleting a router;
    • changing the name and tags of a router;
    • enabling and disabling a router;
    • connecting a router to the internet and disconnecting it;
    • managing static routes on a router;
    • connecting a private subnet to a router and disconnecting it

In the Project access scope:

  • viewing the list of all cloud platform network resources and information about them in the selected project;

  • managing private networks, subnets, and ports in the selected project:

    • creating and deleting a network and subnet;
    • changing the name and tags of a network and subnet;
    • configuring network access in different projects (access to each of the projects is required);
    • changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP state);
    • connecting a subnet to a cloud router and disconnecting it;
    • creating a port in a network and deleting a port;
    • enabling and disabling a port in a network;
    • managing allowed addresses and security groups on a port;

  • managing public subnets in the selected project:

    • creating and deleting a subnet;
    • changing the name and tags of a subnet;
    • changing DNS servers;
    • configuring access to a subnet in different projects;
    • creating and deleting a port in a subnet;
    • enabling and disabling a port in a network;

  • managing public IP addresses in the selected project:

    • creating and deleting an IP address;
    • connecting an IP address to a port in a private network;
    • switching between ports;
    • disconnecting from a port;

  • managing cloud routers in the selected project:

    • creating and deleting a router;
    • changing the name and tags of a router;
    • enabling and disabling a router;
    • connecting a router to the internet and disconnecting it;
    • managing static routes on a router;
    • connecting a private subnet to a router and disconnecting it

iam.admin

User with access to manage users and no access to services or billing. Cannot manage their own account: change permissions, manage notifications, or delete the user. The first user with the iam.admin role is created by the Account Owner.

Access scopesAccount
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

iam.viewer

User with access to view everything managed by iam.admin.

Access scopesAccount
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

reader

User with access to view everything managed by member in the same access scope.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of all cloud platform network resources and information about them in all projects

In the Project access scope:

  • viewing the list of all cloud platform network resources and information about them in the selected project

vpc.admin

User with access to manage cloud platform networks (private networks and subnets, public subnets and public IP addresses, cloud routers), cloud firewalls, security groups, and cloud load balancers.

Adding ports to a cloud server and deleting ports added to a cloud server are not available; this requires the member role.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of all cloud platform network resources and information about them in all projects;

  • managing private networks, subnets, and ports in all projects:

    • creating and deleting a network and subnet;
    • changing the name and tags of a network and subnet;
    • changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP state);
    • connecting a subnet to a cloud router and disconnecting it;
    • connecting a subnet to a global router and disconnecting it (the global_router.admin role is additionally required);
    • creating a port in a network (without assignment to a cloud server) and deleting a port in a network (except those assigned to a cloud server);
    • enabling and disabling a port in a network;

  • managing public subnets in all projects:

    • creating and deleting a subnet;
    • changing the name and tags of a subnet;
    • changing DNS servers;
    • creating and deleting a port in a subnet;
    • enabling and disabling a port in a network;

  • managing public IP addresses in all projects:

    • creating and deleting an IP address;
    • connecting an IP address to a port in a private network;
    • switching between ports;
    • disconnecting from a port;

  • managing cloud routers in all projects:

    • creating and deleting a router;
    • changing the name and tags of a router;
    • enabling and disabling a router;
    • connecting a router to the internet and disconnecting it;
    • managing static routes on a router;
    • connecting a private subnet to a router and disconnecting it

In the Project access scope:

  • viewing the list of all cloud platform network resources and information about them in the selected project;

  • managing private networks, subnets, and ports in the selected project:

    • creating and deleting a network and subnet;
    • changing the name and tags of a network and subnet;
    • changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP state);
    • connecting a subnet to a cloud router and disconnecting it;
    • connecting a subnet to a global router and disconnecting it (the global_router.admin role is additionally required);
    • creating a port in a network (without assignment to a cloud server) and deleting a port in a network (except those assigned to a cloud server);
    • enabling and disabling a port in a network;

  • managing public subnets in the selected project:

    • creating and deleting a subnet;
    • changing the name and tags of a subnet;
    • changing DNS servers;
    • creating and deleting a port in a subnet;
    • enabling and disabling a port in a network;

  • managing public IP addresses in the selected project:

    • creating and deleting an IP address;
    • connecting an IP address to a port in a private network;
    • switching between ports;
    • disconnecting from a port;

  • managing cloud routers in the selected project:

    • creating and deleting a router;
    • changing the name and tags of a router;
    • enabling and disabling a router;
    • connecting a router to the internet and disconnecting it;
    • managing static routes on a router;
    • connecting a private subnet to a router and disconnecting it

vpc.viewer

User with access to view everything managed by vpc.admin in the same access scope.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of all cloud platform network resources and information about them in all projects

In the Project access scope:

  • viewing the list of all cloud platform network resources and information about them in the selected project

vpc.private_network.admin

User with access to manage private networks, subnets, and ports.

Adding ports to a cloud server and deleting ports added to a cloud server are not available; this requires the member role.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of private networks, subnets, ports, and information about them in all projects;

  • managing private networks, subnets, and ports in all projects:

    • creating and deleting a network and subnet;
    • changing the name and tags of a network and subnet;
    • changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP state);
    • connecting a subnet to a cloud router and disconnecting it (the vpc.external_access.admin role is additionally required);
    • connecting a subnet to a global router and disconnecting it (the global_router.admin role is additionally required);
    • creating a port in a network (without assignment to a cloud server) and deleting a port in a network (except those assigned to a cloud server);
    • enabling and disabling a port in a network

In the Project access scope:

  • viewing the list of private networks, subnets, ports, and information about them in the selected project;

  • managing private networks, subnets, and ports in the selected project:

    • creating and deleting a network and subnet;
    • changing the name and tags of a network and subnet;
    • changing automatic subnet network settings (gateway, DNS servers, static routes, DHCP state);
    • connecting a subnet to a cloud router and disconnecting it (the vpc.external_access.admin role is additionally required);
    • connecting a subnet to a global router and disconnecting it (the global_router.admin role is additionally required);
    • creating a port in a network (without assignment to a cloud server) and deleting a port in a network (except those assigned to a cloud server);
    • enabling and disabling a port in a network

vpc.private_network.viewer

User with access to view everything managed by vpc.private_network.admin in the same access scope.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of private networks, subnets, ports, and information about them in all projects

In the Project access scope:

  • viewing the list of private networks, subnets, ports, and information about them in the selected project

vpc.external_access.admin

User with access to manage internet access objects — public subnets, public IP addresses, and cloud routers.

Adding ports to a cloud server and deleting ports added to a cloud server are not available; this requires the member role.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of public subnets and public IP addresses, ports in public networks, cloud routers, and information about them in all projects;

  • managing public subnets in all projects:

    • creating and deleting a subnet;
    • changing the name and tags of a subnet;
    • changing DNS servers;
    • creating and deleting a port in a subnet;
    • enabling and disabling a port in a network

  • managing public IP addresses in all projects:

    • creating and deleting an IP address;
    • connecting an IP address to a port in a private network;
    • switching between ports;
    • disconnecting from a port;

  • managing cloud routers in all projects:

    • creating and deleting a router;
    • changing the name and tags of a router;
    • enabling and disabling a router;
    • connecting a router to the internet and disconnecting it;
    • managing static routes on a router;
    • connecting a private subnet to a router and disconnecting it (the vpc.private_network.admin role is additionally required)

In the Project access scope:

  • viewing the list of public subnets and public IP addresses, ports in public networks, cloud routers, and information about them in the selected project;

  • managing public subnets in the selected project:

    • creating and deleting a subnet;
    • changing the name and tags of a subnet;
    • changing DNS servers;
    • creating and deleting a port in a subnet;
    • enabling and disabling a port in a network

  • managing public IP addresses in the selected project:

    • creating and deleting an IP address;
    • connecting an IP address to a port in a private network;
    • switching between ports;
    • disconnecting from a port;

  • managing cloud routers in the selected project:

    • creating and deleting a router;
    • changing the name and tags of a router;
    • enabling and disabling a router;
    • connecting a router to the internet and disconnecting it;
    • managing static routes on a router;
    • connecting a private subnet to a router and disconnecting it (the vpc.private_network.admin role is additionally required)

vpc.external_access.user

User with access to view everything managed by vpc.external_access.admin in the same access scope, as well as access to manage public IP addresses.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of public subnets and public IP addresses, ports in public networks, cloud routers, and information about them in all projects;

  • managing public IP addresses in all projects:

    • connecting an IP address to a port in a private network, switching between ports, disconnecting from a port

In the Project access scope:

  • viewing the list of public subnets and public IP addresses, ports in public networks, cloud routers, and information about them in the selected project;

  • managing public IP addresses in the selected project:

    • connecting an IP address to a port in a private network, switching between ports, disconnecting from a port

vpc.external_access.viewer

User with access to view everything managed by vpc.external_access.admin in the same access scope.

Access scopes
  • Account;
  • Project
Who can be assigned
  • Users;
  • service users;
  • user groups
Available cloud platform network operations

In the Account access scope:

  • viewing the list of public subnets and public IP addresses, ports in public networks, cloud routers, and information about them in all projects

In the Project access scope:

  • viewing the list of public subnets and public IP addresses, ports in public networks, cloud routers, and information about them in the selected project