Skip to main content
Private subnets and networks
Last update:

Private subnets and networks

Private networks are L2 segments of the network. At least one private subnet must be created in each private network. Private subnets are ranges of private IP addresses at the L3 level, limited by the CIDR size. If devices are in different private subnets of the same private network, they can communicate directly.

Within different private networks, there can be subnets with the same prefixes (masks), but within the same network, the subnet prefixes must be different. By default, private networks and subnets do not have access to and from the Internet and cannot use public addressing.

In order for private subnets from different networks to communicate, they must be connect to the same cloud router. To organize network connectivity at the L3 level between devices in different pools (including different projects and accounts) or between different services, you need to connect private subnets to the global router. The addresses of subnets connected to the same router (cloud or global) must not overlap.

By default, private networks and the subnets belonging to them can only be used within a single projects and one pool. You can Set up private network sharing in different projects within the same account.

Within private subnets there are limits on the amount of traffic — bandwidth. You can see it in the table Throughput.

You can work with private subnets and networks in the control panelswith the help of OpenStack CLI or Terraform.

Automatic private subnet settings

Private subnets specify default settings: default gateway and DNS servers. If you add a device to an existing subnet, the settings are automatically applied to the device. If you change the settings of a subnet that already has devices on it, you need to update network settings on all devices on the subnet.

Default gateway

When creating a private subnet, the first available IP address is reserved for the default gateway. For example, for a subnet with CIDR 192.168.0.0/24 the gateway will be reserved 192.168.0.1. The default gateway can be changed by subnetting or modify after creation.

DNS servers

When you create a private subnet on the devices in the subnet, Selectel DNS servers are automatically assigned to the subnet. You can change the DNS servers by subnetting or modify after creation.

Static routes

By default, subnets do not have static routes specified. For private subnets, you can configure static routes.

Create a private network

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Click Create a network.
  4. Select poolin which a private network will be created.
  5. Enter the name of the network.
  6. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
  7. Optional: To enable DHCP, check the checkbox. Enable DHCP.
  8. Optional: to change the IP address default gateway, press . Enter a value. Press .
  9. Optional: to change DNS servers, press . Enter one to three values. Press .
  10. Click Create.

Add a subnet to a private network

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Open the network card → tab Subnetworks.
  4. Click Add a subnet.
  5. Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
  6. Optional: To enable DHCP, check the checkbox. Enable DHCP.
  7. Optional: to change the IP address default gateway, press . Enter a value. Press .
  8. Click Add a subnet.

Configure private network access in different projects

By default, a private network can only be used within a single projects and one pool. You can set up private network sharing in different projects within the same account. The network will also be available only within the same pool.

A private network will have a tag Кросспроектная. You will only be able to manage the network in the project in which the subnet is located.

If you need to combine private networks from different pools (including in different projects and accounts), connect the private network to a global router.

  1. В control panels go to Cloud platform.
  2. Copy the ID of the destination project with which you want to share the network. To do this, open the projects menu (the name of the current project) and in the line of the desired project press .
  3. Make sure that you are in the project in which the network is located. To do this, open the projects menu (name of the current project) and select the source project.
  4. Go to the section Cloud platformNetwork.
  5. Open the tab Private networks.
  6. Open the network card → tab Projects.
  7. Click Add project.
  8. Paste the destination project ID you copied in step 2.
  9. Click .

Enable DHCP on a private subnet

The DHCP protocol can be used to automatically configure the network on devices. It allows you to automatically obtain IP addresses, subnet mask, default gateway, DNS server addresses, and static routes for devices on a private subnet. Devices in a DHCP enabled subnet will automatically request settings from the DHCP server: when the network interface is turned on or when the address lease expires (default is 24 hours).

When DHCP is enabled, two ports for DHCP servers will be created in the subnet: one for the primary and one for the backup. The first two free IP addresses in the subnet will be reserved for the ports. For example, for a subnet with CIDR 192.168.0.0/24 will be reserved 192.168.0.2 и 192.168.0.3

DHCP on a private subnet can be enabled by creating a private network, adding a subnet to the network or for an existing private subnet.

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Open the private network card → tab Subnetworks.
  4. In the private subnet line, turn on the toggle switch DHCP.

Disable DHCP on a private subnet

Disabling DHCP on a private subnet frees up two IP addresses that have been reserved for DHCP servers.

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Open the private network card → tab Subnetworks.
  4. In the private subnet line, turn off the toggle switch DHCP.

Change the default gateway on the private subnet

When creating a private subnet for default gateway the first free IP address is reserved. For example, for a subnet with CIDR 192.168.0.0/24 will be reserved 192.168.0.1

The default gateway can be changed by creating a private network, adding a subnet to the network or for an existing private subnet.

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Open the private network card → tab Subnetworks.
  4. On the menu. of the private subnet, select Change the gateway.
  5. Enter a new value for the default gateway IP address.
  6. Click .
  7. Apply the changes. To do this update the network settings on devices in the subnetwork.

Change DNS servers on a private subnet

When you create a private subnet on devices, the subnet is automatically assigned to the devices Selectel recursive DNS servers. DNS servers can be changed by creating a private subnet и adding a subnet to the network or for an existing private subnet.

To change the DNS servers on the global router subnet file a ticket.

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Open the private network card → tab Subnetworks.
  4. In the subnet row, in the column DNS servers click .
  5. Enter one to three values.
  6. Click .
  7. Apply the changes. To do this update the network settings on devices in the subnetwork.

Connect a subnet to the cloud router

For private subnets to communicate with each other, they must be connected to the same cloud router. The subnets must have different CIDRs.

To set up access to and from the Internet for devices on private subnets using a cloud router, use these instructions Set up access to and from the Internet.

  1. В control panels go to Cloud platformNetwork.

  2. Open the tab Routers.

  3. Open the router card.

  4. Click Add a subnet.

  5. Select a private subnet or a global router subnet.

  6. Enter the IP address of the router. The IP address of the cloud router must match the default gateway of the private subnet. To view the default gateway on the private subnet, click the tab Private networks → network card → tab Subnetworks → subnet row → column Gateway.

    If you are connecting a global router subnet, the IP address of the cloud router must match the default gateway of the global router subnet and be different from the global router's IP address, the IP addresses of devices on the network, and service addresses .253 и .254.

  7. Click Add a subnet.

Disconnect the subnet from the cloud router

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Routers.
  3. Open the router card.
  4. On the menu. of the private subnet, select Delete port.
  5. Click Delete.

Connect a private network to a global router

When you connect a private network to a global router, all subnets belonging to that network will be connected to the router. All subnets will communicate on the L3 layer.

A private network will have a tag Глобальный роутер. It will only be possible to manage the network and subnets of the global router in the control panels under Network servicesSelectel Global Router.

The Global Router subnet will automatically create three service ports for network equipment.

  1. Verify that the subnets on the private network are appropriate:

    • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
    • have a size of at least /29, as three addresses will be occupied by Selectel network equipment;
    • do not overlap with other networks and subnets that are connected to this global router (IP addresses in the subnets must not overlap);
    • if Managed Kubernetes cluster nodes will be connected to the global router network, subnets do not overlap with ranges 10.250.0.0/16, 10.10.0.0/16 и 10.96.0.0/12. These subnets participate in the internal addressing of Managed Kubernetes, their use may cause conflicts in the global router network.

  2. В control panels go to Cloud platformNetwork.

  3. Open the tab Private networks.

  4. On the menu. networks select Connect to a global router.

  5. Select an existing global router or create a new one.

  6. For each subnet, enter the gateway IP address that will be assigned to the global router. Do not assign this address to devices to avoid disrupting the network.

  7. Optional: Change the service IP addresses that are assigned automatically to reserve the global router.

  8. Click Connect. Do not close the window until the network is connected.

Disconnect the private network from the global router

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. On the menu. networks select Disconnect from the global router.
  4. Enter the name of the network to confirm disconnection.
  5. Click Disconnect. Do not close the window until the network is disconnected.

Delete private subnet

Before deleting a private subnet, you must delete all ports in it.

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Open the private network card → tab Ports.
  4. Delete all ports on the subnet. To do this, in the row of each port, click .
  5. Open the tab Subnetworks.
  6. On the menu. of the private subnet, select Delete subnet.
  7. Click Delete.

Delete private network

Before deleting a private network, you must delete all ports on private subnets belonging to the network.

  1. В control panels go to Cloud platformNetwork.
  2. Open the tab Private networks.
  3. Open the private network card → tab Ports.
  4. Delete all ports in the subnets belonging to the network. To do this, in the row of each port, click .
  5. On the menu. on the private network, select Remove the network.
  6. Click Delete.