Skip to main content
Private subnets and networks
Last update:

Private subnets and networks

Private networks are L2 segments of the network. At least one private subnet must be created in each private network. Private subnets are ranges of private IP addresses at the L3 level, limited by the CIDR size. If devices are in different private subnets of the same private network, they can communicate directly.

Within different private networks, there can be subnets with the same prefixes (masks), but within the same network, the subnet prefixes must be different. By default, private networks and subnets do not have access to and from the Internet and cannot use public addressing.

In order for private subnets from different networks to communicate, they must be connect to the same cloud router. To organize network connectivity at the L3 level between devices in different pools (including different projects and accounts) or between different services, you need to connect private subnets to the global router. The addresses of subnets connected to the same router (cloud or global) must not overlap.

By default, private networks and the subnets belonging to them can only be used within a single projects and one pool. You can Set up private network sharing in different projects within the same account.

Within private subnets there are limits on the amount of traffic — bandwidth. You can see it in the table Throughput.

You can work with private subnets and networks in the control panels with OpenStack CLI or Terraform.

Automatic private subnet settings

Private subnets specify default settings: default gateway and DNS servers. If you add a device to an existing subnet, the settings are automatically applied to the device. If you change the settings of a subnet that already has devices on it, you need to update network settings on all devices on the subnet.

Default gateway

When creating a private subnet, the first available IP address is reserved for the default gateway. For example, for a subnet with CIDR 192.168.0.0/24 the gateway will be reserved 192.168.0.1. The default gateway can be changed by subnetting or modify after creation.

DNS servers

When you create a private subnet on the devices in the subnet, Selectel DNS servers are automatically assigned to the subnet. You can change the DNS servers by subnetting or modify after creation.

Static routes

By default, subnets do not have static routes specified. For private subnets, you can configure static routes.

Create a private network

  1. in control panels from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Private networks.
  3. Click Create a network.
  4. Select pool in which a private network will be created.
  5. Enter the name of the network.
  6. Optional: enter a comment for the network.
  7. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
  8. Optional: to change the IP address default gateway, press . Enter a value. Press .
  9. Optional: to change DNS servers, press . Enter one to three values. Press .
  10. Optional: To enable DHCP, check the checkbox. Enable DHCP.
  11. Optional: to add another subnet, press Add a subnet and repeat steps 7-10.
  12. Click Create.

Add a subnet to a private network

  1. in control panels from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Private networks.
  3. Open the network page → tab Subnetworks.
  4. Click Create a subnet.
  5. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
  6. Optional: Change the IP address default gateway.
  7. Optional: change DNS servers. Enter one to three values.
  8. Optional: To enable DHCP, check the checkbox. Enable DHCP.
  9. Click .

Configure private network access in different projects

By default, a private network can only be used within a single projects and one pool. You can set up private network sharing in different projects within the same account. The network will also be available only within the same pool.

A private network will have a tag Кросспроектная. You will only be able to manage the network in the project in which the subnet is located.

If you need to combine private networks from different pools (including in different projects and accounts), connect the private network to a global router.

  1. in control panels from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Private networks.
  3. Copy the ID of the destination project with which you want to share the network. To do this, open the projects menu (name of the current project) and in the project line, click .
  4. Make sure you are in the project where the network is located.
  5. Open the network page → tab Projects.
  6. Click Add project.
  7. Paste the destination project ID you copied in step 3.
  8. Click .

Enable DHCP on a private subnet

The DHCP protocol can be used to automatically configure the network on devices. It allows you to automatically obtain IP addresses, subnet mask, default gateway, DNS server addresses, and static routes for devices on a private subnet. Devices in a DHCP enabled subnet will automatically request settings from the DHCP server: when the network interface is turned on or when the address lease expires (default is 24 hours).

When DHCP is enabled, two ports for DHCP servers will be created in the subnet: one for the primary and one for the backup. The first two free IP addresses in the subnet will be reserved for the ports. For example, for a subnet with CIDR 192.168.0.0/24 will be reserved 192.168.0.2 and 192.168.0.3

DHCP on a private subnet can be enabled by creating a private network, adding a subnet to the network or for an existing private subnet.

  1. in control panels from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Private networks.
  3. Open the private network page → tab Subnetworks.
  4. In the subnet card, open the block Automatic network settings.
  5. Turn on the toggle switch DHCP server.

Disable DHCP on a private subnet

Disabling DHCP on a private subnet frees up two IP addresses that have been reserved for DHCP servers.

  1. in control panels from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Private networks.
  3. Open the private network page → tab Subnetworks.
  4. In the subnet card, open the block Automatic network settings.
  5. Turn off the toggle switch DHCP server.

Change the default gateway on the private subnet

When creating a private subnet for default gateway the first free IP address is reserved. For example, for a subnet with CIDR 192.168.0.0/24 will be reserved 192.168.0.1.

The default gateway can be changed by creating a private network, adding a subnet to the network or for an existing private subnet.

  1. in control panels from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Private networks.
  3. Open the private network page → tab Subnetworks.
  4. In the subnet card, open the block Automatic network settings.
  5. In the field Subnet Gateway click .
  6. Enter a new value for the default gateway IP address.
  7. Click .
  8. Apply the changes. To do this update the network settings on devices in the subnetwork.

Change DNS servers on a private subnet

When you create a private subnet on devices, the subnet is automatically assigned to the devices Selectel recursive DNS servers. DNS servers can be changed by creating a private subnet and adding a subnet to the network or for an existing private subnet.

To change the DNS servers on the global router subnet file a ticket.

  1. in control panels from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Private networks.
  3. Open the private network page → tab Subnetworks.
  4. In the subnet card, open the block Automatic network settings.
  5. In the field DNS server addresses click .
  6. Enter one to three values.
  7. Click .
  8. Apply the changes. To do this update the network settings on devices in the subnetwork.

Connect a subnet to the cloud router

For private subnets to communicate with each other, they must be connected to the same cloud router. The subnets must have different CIDRs.

To set up access to and from the Internet for devices on private subnets using a cloud router, use these instructions Set up access to and from the Internet.

  1. in control panels from the top menu, press Products and select Cloud servers.

  2. Go to the section Network → tab Cloud routers.

  3. Open the router card.

  4. Click Add a subnet.

  5. Select a private subnet or a global router subnet.

  6. Enter the IP address of the router. The IP address of the cloud router must match the default gateway of the private subnet. You can view the gateway in control panels: from the top menu, press ProductsCloud serversNetwork → tab Private networks → network page → tab Subnetworks → subnet card → block Automatic network settings → field Subnet Gateway.

    If you are connecting a global router subnet, the IP address of the cloud router must match the default gateway of the global router subnet and be different from the global router's IP address, the IP addresses of devices on the network, and service addresses .253 and .254.

  7. Click Add a subnet.

Disconnect the subnet from the cloud router

  1. In control panel from the top menu, press Products and select Cloud servers.
  2. Go to the section Network → tab Cloud routers.
  3. Open the router card.
  4. On the menu of the private subnet, select Delete port.
  5. Click Delete.

Connect a private network to a global router

When you connect a private network to a global router, all subnets belonging to that network will be connected to the router. All subnets will communicate on the L3 layer.

A private network will have a tag Глобальный роутер. You will only be able to manage the network and subnets of the global router in the global router section of the control panels: from the top menu, press ProductsGlobal router.

The Global Router subnet will automatically create three service ports for network equipment.

  1. Verify that the subnets on the private network are appropriate:

    • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
    • have a size of at least /29, as three addresses will be occupied by Selectel network equipment;
    • do not overlap with other networks and subnets that are connected to this global router (IP addresses in the subnets must not overlap);
    • if Managed Kubernetes cluster nodes will be connected to the global router network, subnets do not overlap with ranges 10.250.0.0/16, 10.10.0.0/16 and 10.96.0.0/12. These subnets participate in the internal addressing of Managed Kubernetes, their use may cause conflicts in the global router network.

  2. in control panels from the top menu, press ProductsCloud servers.

  3. Go to the section Network → tab Private networks.

  4. On the menu networks select Connect to a global router.

  5. Select an existing global router or create a new one.

  6. For each subnet, enter the gateway IP address that will be assigned to the global router. Do not assign this address to devices to avoid disrupting the network.

  7. Optional: Change the service IP addresses that are assigned automatically to reserve the global router.

  8. Click Connect. Do not close the window until the network is connected.

Disconnect the private network from the global router

  1. in control panels from the top menu, press ProductsCloud servers.
  2. Go to the section Network → tab Private networks.
  3. On the menu networks select Disconnect from the global router.
  4. Enter the name of the network to confirm disconnection.
  5. Click Disconnect. Do not close the window until the network is disconnected.

Delete a private network or subnet

Devices that prohibit deletion of a network or subnetwork

A private network or private subnet cannot be deleted if the network is connected to a global router, DHCP is enabled on the subnet, or there are devices that prohibit deletion:

  • a cloud router that receives traffic for the public IP address of one of the devices on the network;
  • a cloud router that uses a subnet port in the static routes;
  • database cluster;
  • Cluster Managed Kubernetes;
  • file storage;
  • Cloud load balancer.

At subnetting or networks When uninstalling through the control panel, you need to remove these devices, disconnect the subnet from the global router, and disable DHCP. If you delete using the OpenStack CLI, you must delete all network or subnet ports.

Delete private subnet

When deleting a private subnet, you must delete all ports in it.

  1. in control panels from the top menu, press Products and select Cloud servers.

  2. Go to the section Network → tab Private networks.

  3. If the private network card has the tag Global routerdisconnect it from the global router:

    3.1 In the menu networks select Disconnect from the global router.

    3.2 Enter the network name to confirm disconnection.

    3.3. Press Disconnect. Do not close the window until the network is disconnected.

  4. If DHCP is enabled on the subnet, turn it off:

    4.1 Open the private network page → tab Subnetworks.

    4.2 In the subnet card, open the block Automatic network settings.

    4.3 Turn off the toggle switch DHCP server.

  5. Open the private network page → tab Ports.

  6. Delete all ports on the subnet. To do this, in the row of each port, click .

  7. If the button is inactive in the port card and the port is connected prohibition device. Remove this device and return to step 1.

    Use the instructions to remove the device:

  8. Open the tab Subnetworks.

  9. In the subnet card, click .

  10. Click Delete.

  11. Click Delete.

Delete private network

The subnets created in the network will be deleted along with the network.

  1. in control panels from the top menu, press Products and select Cloud servers.

  2. Go to the section Network → tab Private networks.

  3. If there is a tag in the network card Global routerdisconnect it from the global router:

    3.1 In the menu networks select Disconnect from the global router.

    3.2 Enter the network name to confirm disconnection.

    3.3. Press Disconnect. Do not close the window until the network is disconnected.

  4. If DHCP is enabled on the subnet, turn it off:

    4.1 Open the network page → tab Subnetworks.

    4.2 In the subnet card, open the block Automatic network settings.

    4.3 Turn off the toggle switch DHCP server.

  5. Make sure there is no devices that prohibit the removal of the network:

    5.1. Open the network page → tab Ports.

    5.2 If the button is inactive in the port card If a device that prohibits network removal is connected to the port. Remove this device and return to step 1.

    Use the instructions to remove the device:

  6. From the top menu, press Products and select Cloud servers.

  7. Go to the section Network → tab Private networks.

  8. On the menu networks select Remove the network.