Cloud routers

Last update: May 28 2025

Cloud routers

With a cloud router, you can:

• route traffic between private subnets. All private subnets connected to the same router can communicate with each other and use the router's IP address as the default route;
• configure Internet access for devices in the private subnet (outgoing traffic) and from the Internet (incoming traffic), more details in the instructions Configure Internet access and from the Internet. The cloud router performs 1:1 NAT function via an external IP address, which is allocated when the router is connected to an external network: it organizes Internet access from the private subnet and processes incoming traffic packets for public IP addresses.

You can configure static routes on the cloud router.

A cloud router can only be used within one project and one pool.

Cloud routers have a limit on the amount of traffic — bandwidth. You can see it in the Bandwidth table.

You can work with cloud routers in the control panel, using the OpenStack CLI or Terraform.

Create a cloud router⁠

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. Click Create router.
4. Select the pool where the cloud router will be created.
5. Enter the name of the router.
6. Optional: check the Connect router to external network checkbox — an external IP address will be assigned to the router.
7. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a cloud router:

   openstack router create <router_name>

   Specify <router_name> — the name of the cloud router..

3. Optional: connect the cloud router to an external network — an external IP address will be assigned to the router:

   openstack router set --external-gateway external-network <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the openstack router list command.

Connect a subnet to the cloud router⁠

For private subnets to communicate with each other, they must be connected to the same cloud router. The subnets must have different CIDRs.

To configure access to and from the Internet for devices on private subnets using a cloud router, use the instructions to Configure Access to and from the Internet.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.

2. Go to Network → Cloud routers tab.

3. Open the router card.

4. Click Add Subnet.

5. Select a private subnet or a global router subnet.

6. Enter the IP address of the router. The IP address of the cloud router must match the default gateway of the private subnet. You can view the gateway in the control panel: in the top menu, click Products → Cloud Servers → Network → Private Networks tab → Network page → Subnets tab → Subnet card → Automatic Network Settings block → Subnet Gateway field.

   If you are connecting a global router subnet, the IP address of the cloud router must match the default gateway of the global router subnet and must be different from the global router IP address, the IP addresses of the devices on the network, and the .253 and .254 service addresses.

7. Click Add Subnet.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the subnet to the cloud router:

   openstack router add subnet <router> <subnet>

   Specify:

   • <router> — The ID or name of the cloud router can be viewed with the command openstack router list;
   • <subnet> — The ID or name of a private subnet can be viewed with the command openstack subnet list.

Disconnect the subnet from the cloud router⁠

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. Open the router card.
4. From the menu of the private subnet, select Delete Port.
5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the subnet from the cloud router:

   openstack router remove subnet <router> <subnet>

   Specify:

   • <router> — The ID or name of the cloud router can be viewed with the command openstack router list;
   • <subnet> — The ID or subnet name can be viewed with the command openstack subnet list

Connect the cloud router to an external network⁠

To configure Internet access for devices on a private subnet, the subnet must be connected to a cloud router with external-network access. When the router is connected to the external-network, an external IP address will be assigned to the router, through which the router will perform a 1:1 NAT function.

If the router connects multiple private subnets, devices on all subnets will be able to access the Internet.

To configure access from the Internet for devices on private subnets using a cloud router, use the instructions Configure Access to and from the Internet.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. From the menu of the cloud router, select Connect to external network.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the cloud router to an external network:

   openstack router set --external-gateway external-network <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the openstack router list command.

Disconnect the cloud router from the external network⁠

If you disconnect the Cloud Router from the external network, its external IP address will return to the address pool. When you reconnect, the IP address will change.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. From the menu of the cloud router, select Disconnect from external network.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the cloud router from the external network:

   openstack router unset --external-gateway <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the openstack router list command.

Assign a firewall to a cloud router port⁠

carefully

Inbound and outbound traffic that is not allowed in the cloud firewall rules will be denied on the cloud router port. Active sessions on the router will be interrupted, which cannot be set by the new rules.

You cannot assign more than one firewall to a single router port.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. Open the cloud router card.
4. In the row of the private subnet for which you want to configure traffic filtering, in the Firewall column, click Connect.
5. Select a firewall.
6. Click Assign.

OpenStack CLI

1. Open the OpenStack CLI.

2. Assign a firewall to the cloud router port:

   openstack firewall group set --port <router_port> <firewall>

   Specify:

   • <router_port> — The ID or port name of the router to which the firewall will be assigned can be viewed with the command openstack port list. To assign a firewall to multiple router ports, list their IDs or names with a space;
   • <firewall> — The ID or name of the firewall can be viewed with the command openstack firewall group list.

Disconnect the firewall from the cloud router port⁠

carefully

Cloud firewall rules will no longer apply — all inbound and outbound traffic that passes through the cloud router port will be allowed.

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. Open the router card.
4. From the menu of the private subnet for which traffic filtering has been configured, select Disconnect Port from Port.
5. Click Disable.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the firewall from the router port:

   openstack firewall group unset --port <router_port> <firewall>

   Specify:

   • <router_port> — The ID or port name of the router from which the firewall will be disconnected can be viewed with the command openstack port list;
   • <firewall> — The ID or name of the firewall can be viewed with the command openstack firewall group list.

Turn on the cloud router⁠

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. In the cloud router card, turn on the router.

OpenStack CLI

1. Open the OpenStack CLI.

2. Turn on the cloud router:

   openstack router set --enable <router>

   Specify <router> — The ID or name of the router, can be viewed using the openstack router list command.

Turn off the cloud router⁠

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. In the cloud router card, disable the router.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the cloud router:

   openstack router set --disable <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the openstack router list command.

Remove the cloud router⁠

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Cloud routers tab.
3. If subnets are connected to the router, delete the router ports in the subnets. To do this, open the router card and select Delete Port from the subnet menu.
4. From the router ' menu, select Remove Router.
5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. If subnets are connected to the router, delete the router ports:

   openstack router remove port <router> <port_id>

   Specify:

   • <router> — The ID or name of the cloud router can be viewed with the command openstack router list;
   • <port_id> — The ID of the port connected to the router can be viewed with the command openstack port list --router <router>.

3. Remove the router:

   openstack router delete <router>