Skip to main content
Private subnets and networks
Last update:

Private subnets and networks

Private networks are L2 segments of the network. At least one private subnet must be created in each private network. Private subnets are ranges of private IP addresses at the L3 level, limited by the CIDR size. If devices are in different private subnets of the same private network, they can communicate directly.

Within different private networks, there can be subnets with the same prefixes (masks), but within the same network, the subnet prefixes must be different. By default, private networks and subnets do not have access to and from the Internet and cannot use public addressing.

To enable private subnets from different networks to communicate, you must connect them to the same cloud router. To organize L3 network connectivity between devices in different pools (including different projects and accounts) or between different services, you must connect private subnets to a global router. The addresses of subnets connected to the same router (cloud or global) must not overlap.

By default, private networks and the subnets belonging to them can only be used within one project and one pool. You can configure private network sharing in different projects within the same account.

Within private subnets there are limits on the amount of traffic — bandwidth. You can see it in the Bandwidth table. The default MTU is 1,500 B, you can change the MTU in the private network.

You can work with private subnets and networks in the control panel, using the OpenStack CLI or Terraform.

Automatic private subnet settings

Private subnets specify default settings: default gateway and DNS servers. If you add a device to an existing subnet, the settings are automatically applied to the device. If you change the settings of a subnet that already has devices, you must update the network settings on all devices in the subnet to apply the settings.

Default gateway

When creating a private subnet, the first available IP address is reserved for the default gateway. For example, for a subnet with CIDR 192.168.0.0.0/24, 192.168.0.1 will be reserved as the gateway . The default gateway can be changed when creating a subnet or changed after creation.

DNS servers

When you create a private subnet, Selectel DNS servers are automatically assigned to the devices in the subnet. DNS servers can be changed when creating a subnet or  can be changed after the subnet is created.

Static routes

By default, subnets do not have static routes specified. Static routes can be configured for private subnets.

Create a private network

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. Click Create Network.
  4. Select the pool where the private network will be created.
  5. Enter the name of the network.
  6. Optional: enter a comment for the network.
  7. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
  8. Optional: To change the IP address of the default gateway, click . Enter a value. Click .
  9. Optional: To change the DNS servers, click . Enter one to three values. Click .
  10. Optional: To enable DHCP, check the Enable DHCP checkbox.
  11. Optional: To add another subnet, click Add Subnet and repeat steps 7-10.
  12. Click Create.

Add a subnet to a private network

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. Open the Network page → Subnets tab.
  4. Click Create Subnet.
  5. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
  6. Optional: Change the IP address of the default gateway.
  7. Optional: Change the DNS servers. Enter one to three values.
  8. Optional: To enable DHCP, check the Enable DHCP checkbox.
  9. Click .

Configure private network access in different projects

By default, a private network can only be shared within one project and one pool. You can configure the private network to be shared between different projects within the same account. The network will also be available only within one pool.

A private network will have the CrossProject tag. The network can only be managed in the project in which the subnet is located.

If you need to combine private networks from different pools (including those in different projects and accounts), connect the private network to a global router.

  1. In the dashboard, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. Copy the ID of the destination project with which you want to share the network. To do this, open the projects menu (name of the current project) and in the project line click .
  4. Make sure you are in the project where the network is located.
  5. Open the Network page → Projects tab.
  6. Click Add Project.
  7. Paste the destination project ID you copied in step 3.
  8. Click .

Enable DHCP on a private subnet

The DHCP protocol can be used to automatically configure the network on devices. It allows you to automatically obtain IP addresses, subnet mask, default gateway, DNS server addresses, and static routes for devices on a private subnet. Devices in a DHCP enabled subnet will automatically request settings from the DHCP server: when the network interface is turned on or when the address lease expires (default is 24 hours).

When DHCP is enabled, two ports for DHCP servers will be created in the subnet: one for the primary and one for the backup. The first two free IP addresses in the subnet will be reserved for the ports. For example, for a subnet with CIDR 192.168.0.0/24 192.168.0.2 and 192.168.0.3 will be reserved

DHCP on a private subnet can be enabled when you create a private network, add a subnet to a network, or for an existing private subnet.

  1. In the dashboard, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. Open the Private Network page → Subnets tab.
  4. In the subnet card, open the Automatic Network Settings block.
  5. Turn on the DHCP server toggle switch.

Disable DHCP on a private subnet

Disabling DHCP on a private subnet frees up two IP addresses that have been reserved for DHCP servers.

  1. In the dashboard, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. Open the Private Network page → Subnets tab.
  4. In the subnet card, open the Automatic Network Settings block.
  5. Turn off the DHCP server toggle switch.

Change the default gateway on the private subnet

When creating a private subnet, the first available IP address is reserved for the default gateway. For example, 192``.168.0.0/24 will be reserved for a subnet with CIDR 192.168.0.0/24.

The default gateway can be changed when creating a private network, adding a subnet to a network, or for an existing private subnet.

  1. In the dashboard, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. Open the Private Network page → Subnets tab.
  4. In the subnet card, open the Automatic Network Settings block.
  5. In the Subnet Gateway field, click .
  6. Enter a new value for the default gateway IP address.
  7. Click .
  8. Apply the changes. To do this, update the network settings on the devices in the subnet.

Change DNS servers on a private subnet

When you create a private subnet, Selectel recursive DNS servers are automatically assigned to the devices on the subnet. DNS servers can be changed when creating a private subnet and adding a subnet to the network or for an existing private subnet.

To change the DNS servers on the global router subnet , create a ticket.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. Open the Private Network page → Subnets tab.
  4. In the subnet card, open the Automatic Network Settings block.
  5. In the DNS Server Addresses field, click .
  6. Enter one to three values.
  7. Click .
  8. Apply the changes. To do this, update the network settings on the devices in the subnet.

Connect a subnet to the cloud router

For private subnets to communicate with each other, they must be connected to the same cloud router. The subnets must have different CIDRs.

To configure access to and from the Internet for devices on private subnets using a cloud router, use the instructions to Configure Access to and from the Internet.

  1. In the dashboard, on the top menu, click Products and select Cloud Servers.

  2. Go to NetworkCloud routers tab.

  3. Open the router card.

  4. Click Add Subnet.

  5. Select a private subnet or a global router subnet.

  6. Enter the IP address of the router. The IP address of the cloud router must match the default gateway of the private subnet. You can view the gateway in the control panel: in the top menu, click ProductsCloud ServersNetworkPrivate Networks tab → Network page → Subnets tab → Subnet card → Automatic Network Settings block → Subnet Gateway field.

    If you are connecting a global router subnet, the IP address of the cloud router must match the default gateway of the global router subnet and must be different from the global router IP address, the IP addresses of the devices on the network, and the .253 and .254 service addresses.

  7. Click Add Subnet.

Disconnect the subnet from the cloud router

  1. In the dashboard, on the top menu, click Products and select Cloud Servers.
  2. Go to NetworkCloud routers tab.
  3. Open the router card.
  4. From the menu of the private subnet, select Delete Port.
  5. Click Delete.

Connect a private network to a global router

When you connect a private network to a global router, all subnets belonging to that network will be connected to the router. All subnets will communicate on the L3 layer.

The private network will have a Global Router tag. You can manage the Global Router network and subnets only in the Global Router section of the Control Panel: from the top menu, click ProductsGlobal Router.

The Global Router subnet will automatically create three service ports for network equipment.

  1. Verify that the subnets on the private network are appropriate:

    • belong to the RFC 1918 private address range: 10.0.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0.0/16;
    • have a size of at least /29, as three addresses will be occupied by Selectel network equipment;
    • do not overlap with other networks and subnets that are connected to this global router (IP addresses in the subnets must not overlap);
    • If Managed Kubernetes cluster nodes will be connected to the global router network, the subnets do not overlap with the ranges 10.250.0.0.0/16, 10.10.0.0.0/16, and 10.96.0.0.0/12. These subnets participate in the internal addressing of Managed Kubernetes and their use can cause conflicts in the global router network.

  2. In the control panel, on the top menu, click ProductsCloud Servers.

  3. Go to NetworkPrivate Networks tab.

  4. From the menu of the network, select Connect to Global Router.

  5. Select an existing global router or create a new one.

  6. For each subnet, enter the gateway IP address that will be assigned to the global router. Do not assign this address to devices to avoid disrupting the network.

  7. Optional: Change the service IP addresses that are assigned automatically to reserve the global router.

  8. Click Connect. Do not close the window until the network is connected.

Disconnect the private network from the global router

  1. In the control panel, on the top menu, click ProductsCloud Servers.
  2. Go to NetworkPrivate Networks tab.
  3. From the menu of the network, select Disconnect from Global Router.
  4. Enter the name of the network to confirm disconnection.
  5. Click Disconnect. Do not close the window until the network is disconnected.

Change the MTU on a private network

When you create a private network it is set to the default MTU of 1,500 B, you can change the MTU.

The cloud router If you set the MTU on a network to more than 1,500B, you will need to reduce the packet size to 1,500B when sending traffic from that network to the cloud router. For example, you can use PMTUD to do this.The restriction does not apply to TCP sending.

Global router accepts packets up to 8,500 B in size.

  1. Open the OpenStack CLI.

  2. Specify a new MTU value on the network:

    openstack network set \
      --mtu <mtu> \
      <network>

    Specify:

    • <mtu> — new MTU value in B, the maximum value is 8500;
    • <network> — The ID or name of a private network can be viewed with the command openstack network list.

  3. Apply the changes. To do this, update the network settings on the devices in the network. You can view the list of devices on the network in the control panel: from the top menu, click ProductsCloud ServersNetworkPrivate Networks tab → Private Networks page → Ports tab.

Delete a private network or subnet

Devices that prohibit deletion of a network or subnetwork

A private network or private subnet cannot be deleted if the network is connected to a global router, DHCP is enabled on the subnet, or there are devices that prohibit deletion:

  • A cloud router that receives traffic for the public IP address of one of the devices on the network;
  • A cloud router that uses a subnet port in static routes;
  • database cluster;
  • Cluster Managed Kubernetes;
  • file storage;
  • Cloud load balancer.

When removing a subnet or network through the control panel, you must remove these devices, disconnect the subnet from the global router, and disable DHCP. If you delete using the OpenStack CLI, you must delete all ports on the network or subnet.

Delete private subnet

When deleting a private subnet, you must delete all ports in it.

  1. In the dashboard, on the top menu, click Products and select Cloud Servers.

  2. Go to NetworkPrivate Networks tab.

  3. If the private network card has the Global Router tag, disconnect it from the global router:

    3.1. From the menu of the network, select Disconnect from Global Router.

    3.2 Enter the network name to confirm disconnection.

    3.3 Click Disconnect. Do not close the window until the network is disconnected.

  4. If DHCP is enabled on the subnet, turn it off:

    4.1 Open the Private Network page → Subnets tab.

    4.2 In the subnet card, open the Automatic Network Settings block.

    4.3 Turn off the DHCP server toggle switch.

  5. Open the Private Network page → Ports tab.

  6. Delete all ports in the subnet. To do this, in the row of each port, click .

  7. If the button is inactive in the port card, a device that prohibits removal is connected to the port . Remove this device and return to step 1.

    Use the instructions to remove the device:

  8. Open the Subnets tab.

  9. In the subnet card, click .

  10. Click Delete.

  11. Click Delete.

Delete private network

The subnets created in the network will be deleted along with the network.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to NetworkPrivate Networks tab.

  3. If the network card has the Global Router tag, disconnect it from the global router:

    3.1. From the menu of the network, select Disconnect from Global Router.

    3.2 Enter the network name to confirm disconnection.

    3.3 Click Disconnect. Do not close the window until the network is disconnected.

  4. If DHCP is enabled on the subnet, turn it off:

    4.1 Open the Network page → Subnets tab.

    4.2 In the subnet card, open the Automatic Network Settings block.

    4.3 Turn off the DHCP server toggle switch.

  5. Make sure there are no devices on the network that prohibit network deletion:

    5.1. Open the Network page → Ports tab.

    5.2 If the button is inactive in the port card, a device that prohibits network removal is connected to the port. Remove this device and return to step 1.

    Use the instructions to remove the device:

  6. From the top menu, click Products and select Cloud Servers.

  7. Go to NetworkPrivate Networks tab.

  8. From the menu of the network, select Delete Network.