Cloud routers

Last update: April 16 2025

Cloud routers

With a cloud router, you can:

• route traffic between private subnets. All private subnets connected to the same router can communicate with each other and use the router's IP address as the default route;
• configure Internet access for devices in the private subnet (outgoing traffic) and from the Internet (incoming traffic), see the instructions for details. Set up access to and from the Internet. The cloud router performs 1:1 NAT via an external IP address that is allocated when the router is connected to an external network: it organizes access to the Internet from a private subnet and processes incoming traffic packets for public IP addresses.

On a cloud router, you can configure static routes.

A cloud router can only be used within a single projects and one pool.

Cloud routers have a limit on the amount of traffic — bandwidth. You can see it in the table Throughput.

Working with cloud routers can be in the control panels with OpenStack CLI or Terraform.

Create a cloud router⁠

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. Click Create a router.
4. Select pool in which a cloud router will be created.
5. Enter the name of the router.
6. Optional: check the checkbox Connect the router to an external network — an external IP address will be assigned to the router.
7. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a cloud router:

   openstack router create <router_name>

   Specify <router_name> — the name of the cloud router.

3. Optional: connect the cloud router to an external network — an external IP address will be assigned to the router:

   openstack router set --external-gateway external-network <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the command openstack router list.

Connect a subnet to the cloud router⁠

For private subnets to communicate with each other, they must be connected to the same cloud router. The subnets must have different CIDRs.

To set up access to and from the Internet for devices on private subnets using a cloud router, use these instructions Set up access to and from the Internet.

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.

2. Go to the section Network → tab Cloud routers.

3. Open the router card.

4. Click Add a subnet.

5. Select a private subnet or a global router subnet.

6. Enter the IP address of the router. The IP address of the cloud router must match the default gateway of the private subnet. You can view the gateway in control panels: from the top menu, press Products → Cloud servers → Network → tab Private networks → network page → tab Subnetworks → subnet card → block Automatic network settings → field Subnet Gateway.

   If you are connecting a global router subnet, the IP address of the cloud router must match the default gateway of the global router subnet and be different from the global router's IP address, the IP addresses of devices on the network, and service addresses .253 and .254.

7. Click Add a subnet.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the subnet to the cloud router:

   openstack router add subnet <router> <subnet>

   Specify:

   • <router> — The ID or name of the cloud router, can be viewed using the command openstack router list;
   • <subnet> — ID or private subnet name, can be viewed with the command openstack subnet list.

Disconnect the subnet from the cloud router⁠

Control panel

1. In control panel from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. Open the router card.
4. On the menu of the private subnet, select Delete port.
5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the subnet from the cloud router:

   openstack router remove subnet <router> <subnet>

   Specify:

   • <router> — The ID or name of the cloud router, can be viewed using the command openstack router list;
   • <subnet> — ID or subnet name, can be viewed with the command openstack subnet list

Connect the cloud router to an external network⁠

To configure Internet access for devices on a private subnet, the subnet must be connected to a cloud router with access to an external network (external-network). When you connect the router to an external network, an external IP address will be assigned to the router, through which the router will perform 1:1 NAT function.

If the router connects multiple private subnets, devices on all subnets will be able to access the Internet.

To set up access from the Internet for devices on private subnets using a cloud router, use these instructions Set up access to and from the Internet.

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. On the menu of the cloud router, select Connect to an external network.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the cloud router to an external network:

   openstack router set --external-gateway external-network <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the command openstack router list.

Disconnect the cloud router from the external network⁠

If you disconnect the Cloud Router from the external network, its external IP address will return to the address pool. When you reconnect, the IP address will change.

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. On the menu of the cloud router, select Disconnect from external power supply.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the cloud router from the external network:

   openstack router unset --external-gateway <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the command openstack router list.

Assign a firewall to a cloud router port⁠

carefully

Inbound and outbound traffic that is not allowed in the cloud firewall rules will be denied on the cloud router port. Active sessions on the router will be interrupted, which cannot be set by the new rules.

You cannot assign more than one firewall to a single router port.

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. Open the cloud router card.
4. In the row of the private subnet for which you want to configure traffic filtering, in the column Firewall click Connect.
5. Select a firewall.
6. Click Assign.

OpenStack CLI

1. Open the OpenStack CLI.

2. Assign a firewall to the cloud router port:

   openstack firewall group set --port <router_port> <firewall>

   Specify:

   • <router_port> — The ID or port name of the router to which the firewall will be assigned can be viewed using the command openstack port list. To assign a firewall to multiple router ports, list their IDs or names with a space;
   • <firewall> — ID or name of the firewall can be viewed with the command openstack firewall group list.

Disconnect the firewall from the cloud router port⁠

carefully

Cloud firewall rules will no longer apply — all inbound and outbound traffic that passes through the cloud router port will be allowed.

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. Open the router card.
4. On the menu Select the private subnet for which you configured traffic filtering, and then select Disconnect the port from the port.
5. Click Disconnect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the firewall from the router port:

   openstack firewall group unset --port <router_port> <firewall>

   Specify:

   • <router_port> — The ID or port name of the router from which the firewall will be disconnected can be viewed using the command openstack port list;
   • <firewall> — ID or name of the firewall can be viewed with the command openstack firewall group list.

Turn on the cloud router⁠

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. In the cloud router card, turn on the router.

OpenStack CLI

1. Open the OpenStack CLI.

2. Turn on the cloud router:

   openstack router set --enable <router>

   Specify <router> — The ID or name of the router can be viewed with the command openstack router list.

Turn off the cloud router⁠

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. In the cloud router card, disable the router.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the cloud router:

   openstack router set --disable <router>

   Specify <router> — The ID or name of the cloud router, can be viewed using the command openstack router list.

Remove the cloud router⁠

Control panel

1. in control panels from the top menu, press Products and select Cloud servers.
2. Go to the section Network → tab Cloud routers.
3. If subnets are connected to the router, delete the router ports in the subnets. To do this, open the router card and in the menu subnets, select Delete port.
4. On the menu of the router, select Remove the router.
5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. If subnets are connected to the router, delete the router ports:

   openstack router remove port <router> <port_id>

   Specify:

   • <router> — The ID or name of the cloud router, can be viewed using the command openstack router list;
   • <port_id> — The ID of the port connected to the router can be viewed using the command openstack port list --router <router>.

3. Remove the router:

   openstack router delete <router>