Private subnets and networks
Private networks are L2 segments of the network. At least one private subnet must be created in each private network. Private subnets are ranges of private IP addresses at the L3 level, limited by the CIDR size. If devices are in different private subnets of the same private network, they can communicate directly.
Within different private networks, there can be subnets with the same prefixes (masks), but within the same network, the subnet prefixes must be different. By default, private networks and subnets do not have access to and from the Internet and cannot use public addressing.
In order for private subnets from different networks to communicate, they must be connect to the same cloud router. To organize network connectivity at the L3 level between devices in different pools (including different projects and accounts) or between different services, you need to connect private subnets to the global router. The addresses of subnets connected to the same router (cloud or global) must not overlap.
By default, private networks and the subnets belonging to them can only be used within a single projects and one pool. You can Set up private network sharing in different projects within the same account.
Within private subnets there are limits on the amount of traffic — bandwidth. You can see it in the table Throughput.
You can work with private subnets and networks in the control panels with the help of OpenStack CLI or Terraform.
Automatic private subnet settings
Private subnets specify default settings: default gateway and DNS servers. If you add a device to an existing subnet, the settings are automatically applied to the device. If you change the settings of a subnet that already has devices on it, you need to update network settings on all devices on the subnet.
Default gateway
When creating a private subnet, the first available IP address is reserved for the default gateway. For example, for a subnet with CIDR 192.168.0.0/24
the gateway will be reserved 192.168.0.1
. The default gateway can be changed by subnetting or modify after creation.
DNS servers
When you create a private subnet on the devices in the subnet, Selectel DNS servers are automatically assigned to the subnet. You can change the DNS servers by subnetting or modify after creation.
Static routes
By default, subnets do not have static routes specified. For private subnets, you can configure static routes.
Create a private network
Control panel
OpenStack CLI
- In control panels go to Cloud platform → Network.
- Open the tab Private networks.
- Click Create a network.
- Select pool in which a private network will be created.
- Enter the name of the network.
- Optional: enter a comment for the network.
- Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
- Optional: to change the IP address default gateway, press . Enter a value. Press .
- Optional: to change DNS servers, press . Enter one to three values. Press .
- Optional: To enable DHCP, check the checkbox. Enable DHCP.
- Optional: to add another subnet, press Add a subnet and go to step 7.
- Click Create.
-
Create a private network:
openstack network create <network_name>
Specify
<network_name>
— private network name.
Add a subnet to a private network
Control panel
OpenStack CLI
- In control panels go to Cloud platform → Network.
- Open the tab Private networks.
- Open the network page → tab Subnetworks.
- Click Create a subnet.
- Enter the subnet's CIDR, which is the range of IP addresses available on the subnet.
- Optional: Change the IP address default gateway.
- Optional: change DNS servers. Enter one to three values.
- Optional: To enable DHCP, check the checkbox. Enable DHCP.
- Click .
-
Create a subnet on the private network:
openstack subnet create \
--subnet-range <cidr> \
[--dhcp | --no-dhcp] \
--gateway <gateway> \
--network <network> \
<subnet_name>Specify:
<cidr>
— CIDR of a private subnet, e.g.192.168.0.0/24
;- DHCP option:
--dhcp
— enable DHCP;--no-dhcp
— disable DHCP;
<gateway>
— IP address default gateway for example192.168.0.2
;<network>
— The ID or name of the private network can be viewed with the commandopenstack network list
<subnet_name>
— private subnet name.
Configure private network access in different projects
By default, a private network can only be used within a single projects and one pool. You can set up private network sharing in different projects within the same account. The network will also be available only within the same pool.
A private network will have a tag Кросспроектная
. You will only be able to manage the network in the project in which the subnet is located.
If you need to combine private networks from different pools (including in different projects and accounts), connect the private network to a global router.
Control panel
- In control panels go to Cloud platform.
- Copy the ID of the destination project with which you want to share the network. To do this, open the projects menu (the name of the current project) and in the line of the desired project press .
- Make sure that you are in the project in which the network is located. To do this, open the projects menu (name of the current project) and select the source project.
- Go to the section Cloud platform → Network.
- Open the tab Private networks.
- Open the network page → tab Projects.
- Click Add project.
- Paste the destination project ID you copied in step 2.
- Click .
Enable DHCP on a private subnet
The DHCP protocol can be used to automatically configure the network on devices. It allows you to automatically obtain IP addresses, subnet mask, default gateway, DNS server addresses, and static routes for devices on a private subnet. Devices in a DHCP enabled subnet will automatically request settings from the DHCP server: when the network interface is turned on or when the address lease expires (default is 24 hours).
When DHCP is enabled, two ports for DHCP servers will be created in the subnet: one for the primary and one for the backup. The first two free IP addresses in the subnet will be reserved for the ports. For example, for a subnet with CIDR 192.168.0.0/24
will be reserved 192.168.0.2
and 192.168.0.3
DHCP on a private subnet can be enabled by creating a private network, adding a subnet to the network or for an existing private subnet.
Control panel
OpenStack CLI
- In control panels go to Cloud platform → Network.
- Open the tab Private networks.
- Open the private network page → tab Subnetworks.
- In the subnet card, expand the block Automatic network settings.
- Turn on the toggle switch DHCP server.
-
Enable DHCP on the private subnet:
openstack subnet set --dhcp <subnet>
Specify
<subnet>
— ID or private subnet name, can be viewed with the commandopenstack subnet list
Disable DHCP on a private subnet
Disabling DHCP on a private subnet frees up two IP addresses that have been reserved for DHCP servers.
Control panel
OpenStack CLI
- In control panels go to Cloud platform → Network.
- Open the tab Private networks.
- Open the private network page → tab Subnetworks.
- In the subnet card, expand the block Automatic network settings.
- Turn off the toggle switch DHCP server.
-
Disable DHCP on the private subnet:
openstack subnet set --no-dhcp <subnet>
Specify
<subnet>
— ID or private subnet name, can be viewed with the commandopenstack subnet list
Change the default gateway on the private subnet
When creating a private subnet for default gateway the first free IP address is reserved. For example, for a subnet with CIDR 192.168.0.0/24
will be reserved 192.168.0.1
The default gateway can be changed by creating a private network, adding a subnet to the network or for an existing private subnet.
Control panel
OpenStack CLI
- In control panels go to Cloud platform → Network.
- Open the tab Private networks.
- Open the private network page → tab Subnetworks.
- In the subnet card, expand the block Automatic network settings.
- In the field Subnet Gateway click .
- Enter a new value for the default gateway IP address.
- Click .
- Apply the changes. To do this update the network settings on devices in the subnetwork.
-
Delete the existing pool of dedicated IP addresses on the private subnet and add a new pool without the default gateway IP address:
openstack subnet set \
--no-allocation-pool \
--allocation-pool start=<first_pool_ip_address>,end=<last_pool_ip_address> \
<subnet>Specify:
<first_pool_ip_address>
— the first IP address of the new pool;<last_pool_ip_address>
— the last IP address of the new pool. Multiple pools can be added — each pool is added using the option--allocation-pool start=<first_pool_ip_address>,end=<last_pool_ip_address>
<subnet>
— ID or private subnet name, can be viewed with the commandopenstack subnet list
-
Specify a new IP address for the default gateway:
openstack subnet set --gateway <gateway> <subnet>
Specify
<gateway>
— The IP address of the default gateway, e.g.192.168.0.5
.Example of changing the gateway IP address to
192.168.0.5
:openstack subnet set \
--no-allocation-pool \
--allocation-pool start=192.168.0.1,end=192.168.0.4 \
--allocation-pool start=192.168.0.6,end=192.168.0.254 \
--gateway 192.168.0.5 \
1c6e70ea-db7e-4d2f-bf76-4cab8f0cf52a -
Apply the changes. To do this update the network settings on devices in the subnetwork.
Change DNS servers on a private subnet
When you create a private subnet on devices, the subnet is automatically assigned to the devices Selectel recursive DNS servers. DNS servers can be changed by creating a private subnet and adding a subnet to the network or for an existing private subnet.
To change the DNS servers on the global router subnet file a ticket.
Control panel
OpenStack CLI
- In control panels go to Cloud platform → Network.
- Open the tab Private networks.
- Open the private network page → tab Subnetworks.
- In the subnet card, expand the block Automatic network settings.
- In the field DNS server addresses click .
- Enter one to three values.
- Click .
- Apply the changes. To do this update the network settings on devices in the subnetwork.
-
If you need to completely replace the list of DNS servers, delete the IP addresses of the specified DNS servers and add new ones:
openstack subnet set \
--no-dns-nameservers \
--dns-nameserver <dns_server> \
<subnet>Specify:
<dns_server>
— IP address of the DNS server. You can add several DNS servers — each is added using the option--dns-nameserver <dns_server>
;<subnet>
— ID or private subnet name, can be viewed with the commandopenstack subnet list
Example of changing the default DNS servers to
192.0.2.3
and192.0.2.4
:openstack subnet set \
--no-dns-nameservers \
--dns-nameserver 192.0.2.3 \
--dns-nameserver 192.0.2.4 \
<subnet> -
If you need to complete the list of DNS servers, add the IP addresses of the new DNS servers:
openstack subnet set \
--dns-nameserver <dns_server> \
<subnet>Specify:
<dns_server>
— IP address of the DNS server. You can add several DNS servers — each is added using the option--dns-nameserver <dns_server>
;<subnet>
— ID or private subnet name, can be viewed with the commandopenstack subnet list
-
Apply the changes. To do this update the network settings on devices in the subnetwork.
Connect a subnet to the cloud router
For private subnets to communicate with each other, they must be connected to the same cloud router. The subnets must have different CIDRs.
To set up access to and from the Internet for devices on private subnets using a cloud router, use these instructions Set up access to and from the Internet.
Control panel
OpenStack CLI
-
In control panel go to Cloud platform → Network.
-
Open the tab Cloud routers.
-
Open the router card.
-
Click Add a subnet.
-
Select a private subnet or a global router subnet.
-
Enter the IP address of the router. The IP address of the cloud router must match the default gateway of the private subnet. To view the default gateway on the private subnet, click the tab Private networks → network page → tab Subnetworks → subnet card → block Automatic network settings → field Subnet Gateway.
If you are connecting a global router subnet, the IP address of the cloud router must match the default gateway of the global router subnet and be different from the global router's IP address, the IP addresses of devices on the network, and service addresses
.253
and.254
. -
Click Add a subnet.
-
Connect the subnet to the cloud router:
openstack router add subnet <router> <subnet>
Specify:
<router>
— The ID or name of the cloud router, can be viewed using the commandopenstack router list
;<subnet>
— ID or private subnet name, can be viewed with the commandopenstack subnet list
Disconnect the subnet from the cloud router
Control panel
OpenStack CLI
- In control panel go to Cloud platform → Network.
- Open the tab Cloud routers.
- Open the router card.
- On the menu. of the private subnet, select Delete port.
- Click Delete.
-
Disconnect the subnet from the cloud router:
openstack router remove subnet <router> <subnet>
Specify:
<router>
— The ID or name of the cloud router, can be viewed using the commandopenstack router list
;<subnet>
— ID or subnet name, can be viewed with the commandopenstack subnet list
Connect a private network to a global router
When you connect a private network to a global router, all subnets belonging to that network will be connected to the router. All subnets will communicate on the L3 layer.
A private network will have a tag Глобальный роутер
. It will only be possible to manage the network and subnets of the global router in the control panels under Network services → Selectel Global Router.
The Global Router subnet will automatically create three service ports for network equipment.
Control panel
-
Verify that the subnets on the private network are appropriate:
- belong to the RFC 1918 private address range:
10.0.0.0/8
,172.16.0.0/12
or192.168.0.0/16
; - have a size of at least /29, as three addresses will be occupied by Selectel network equipment;
- do not overlap with other networks and subnets that are connected to this global router (IP addresses in the subnets must not overlap);
- if Managed Kubernetes cluster nodes will be connected to the global router network, subnets do not overlap with ranges
10.250.0.0/16
,10.10.0.0/16
and10.96.0.0/12
. These subnets participate in the internal addressing of Managed Kubernetes, their use may cause conflicts in the global router network.
- belong to the RFC 1918 private address range:
-
In control panels go to Cloud platform →Network.
-
Open the tab Private networks.
-
On the menu. networks select Connect to a global router.
-
Select an existing global router or create a new one.
-
For each subnet, enter the gateway IP address that will be assigned to the global router. Do not assign this address to devices to avoid disrupting the network.
-
Optional: Change the service IP addresses that are assigned automatically to reserve the global router.
-
Click Connect. Do not close the window until the network is connected.
Disconnect the private network from the global router
- In control panels go to Cloud platform →Network.
- Open the tab Private networks.
- On the menu. networks select Disconnect from the global router.
- Enter the name of the network to confirm disconnection.
- Click Disconnect. Do not close the window until the network is disconnected.
Delete a private network or subnet
Devices that prohibit deletion of a network or subnetwork
A private network or private subnet cannot be deleted if the network is connected to a global router, DHCP is enabled on the subnet, or there are devices that prohibit deletion:
- a cloud router that receives traffic for the public IP address of one of the devices on the network;
- a cloud router that uses a subnet port in the static routes;
- database cluster;
- Cluster Managed Kubernetes;
- file storage;
- Cloud load balancer.
At subnetting or networks You need to remove these devices through the control panel, disconnect the subnet from the global router, and disable DHCP. If you delete using the OpenStack CLI, you must delete all network or subnet ports.
Delete private subnet
When deleting a private subnet, you must delete all ports in it.
Control panel
OpenStack CLI
-
In control panels go to Cloud platform → Network.
-
Open the tab Private networks.
-
If the private network card has the tag Global routerdisconnect it from the global router:
3.1 In the menu networks select Disconnect from the global router.
3.2 Enter the network name to confirm the disconnection.
3.3. Press Disconnect. Do not close the window until the network is disconnected.
-
If DHCP is enabled on the subnet, turn it off:
4.1 Open the private network page → tab Subnetworks.
4.2 In the subnet card, expand the block Automatic network settings.
4.3 Turn off the toggle switch DHCP server.
-
Open the private network page → tab Ports.
-
Delete all ports on the subnet. To do this, in the row of each port, click .
-
If the button is inactive in the port card and the port is connected prohibition device. Remove this device and return to step 1.
Use the instructions to remove the device:
-
Open the tab Subnetworks.
-
In the subnet card, click .
-
Click Delete.
-
Confirm the deletion.
-
Remove all ports on the private subnet:
openstack port delete <port>
Specify
<port>
— ID or port name, can be viewed with the commandopenstack port list
-
Delete the private subnet:
openstack subnet delete <subnet>
Specify
<subnet>
— ID or private subnet name, can be viewed with the commandopenstack subnet list
Delete private network
The subnets created in the network will be deleted along with the network.
Control panel
OpenStack CLI
-
In control panels go to Cloud platform → Network.
-
Open the tab Private networks.
-
If there is a tag in the network card Global routerdisconnect it from the global router:
3.1 In the menu networks select Disconnect from the global router.
3.2 Enter the network name to confirm the disconnection.
3.3. Press Disconnect. Do not close the window until the network is disconnected.
-
If DHCP is enabled on the subnet, turn it off:
4.1 Open the network page → tab Subnetworks.
4.2 In the subnet card, expand the block Automatic network settings.
4.3 Turn off the toggle switch DHCP server.
-
Make sure there's no devices that prohibit the removal of the network:
5.1. Open the network page → tab Ports.
5.2 If the button is inactive in the port card If a device that prohibits network removal is connected to the port. Remove this device and return to step 1.
Use the instructions to remove the device:
-
Go to the section Cloud platform → Network.
-
Open the tab Private networks.
-
On the menu. networks select Remove the network.
-
Remove all ports on subnets belonging to the network:
openstack port delete <port>
Specify
<port>
— ID or port name, can be viewed with the commandopenstack port list
-
Delete the private network:
openstack network delete <network>
Specify
<network>
— The ID or name of the private network can be viewed with the commandopenstack network list