Configure access to and from the Internet

For the cloud server, cloud load balancer, and Managed Database cluster, you can configure access to and from the Internet:

• via a public IP address. To filter incoming traffic, you can use a cloud firewall and security groups;
• via a public subnet. To filter incoming traffic, you can use security groups.

If an Internet-only access is needed for a device without access from the Internet, it can be configured via a cloud router.

Configure access to and from the Internet via a public IP address

To configure access to and from the Internet for devices in a private subnet, you need to connect the subnet to a cloud router with Internet access and connect a public IP address to the device. The cloud router provides 1:1 NAT via an external IP address, which is allocated when the router is connected to the Internet: it organizes Internet access from the private subnet and handles incoming traffic packets for public IP addresses.

You can connect a public IP address when creating a cloud server, creating a cloud load balancer, creating a Managed Database cluster (example for PostgreSQL), and after creation.

The device must be located in a private subnet or a global router subnet that meets the requirements. To prepare the subnet, refer to the guide Prepare a private subnet for connecting a public IP address⁠⁠.

1. Create a public IP address.
2. Create a cloud router with Internet access⁠.
3. Connect the private subnet to the cloud router.
4. Connect a public IP address to the device port in the private subnet.
5. If the subnet gateway does not match the cloud router IP address, configure a static route to the Internet in the subnet.

1. Create a public IP address

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network section → Public IP addresses tab.
3. Click Create IP address.
4. Select the location where the public IP address will be created.
5. Specify the number of public IP addresses — 1.
6. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a public IP address:

   openstack floating ip create external-network

2. Create a cloud router with Internet access⁠

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network section → Cloud Routers tab.
3. Click Create Router.
4. Select the location where the cloud router will be created.
5. Enter the router name.
6. Select the Connect router to the internet checkbox — an external IP address will be assigned to the router.
7. Click Create.

OpenStack CLI

1. Open OpenStack CLI.

2. Create a cloud router:

   openstack router create <router_name>

   Specify:

   • <router_name> — the name of the cloud router; ;
   • optional: --availability-zone-hint <availability_zone> — if the router is being created in the multi-zone pool ru-6, this allows you to select the availability zone where the router will be created. The <availability_zone> parameter is the pool segment, for example, ru-6a.

3. Connect the cloud router to the internet — an external IP address will be assigned to the router:

   openstack router set --external-gateway external-network <router>

   Specify <router> — the ID or name of the cloud router; you can view it using the openstack router list

3. Connect the subnet to the cloud router

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Cloud Routers tab.

3. Open the router page.

4. Click Connect subnet.

5. Select a private subnet or a global router subnet.

6. Optional: enter the router IP address—any available IP address from the subnet. If you do not specify an IP address, one will be automatically selected from the available addresses in the subnet.

   For devices in the subnet to access the internet without additional routes, the cloud router IP address must match the private subnet gateway. If the subnet gateway is already in use, you will need to configure a static route to the internet in the subnet via the cloud router.

   You can view the subnet gateway in the control panel: in the top menu, click Products → Cloud Servers → Network → tab Private networks → network page → tab Subnets → subnet card → block Automatic network settings → field Subnet gateway.

7. Click Connect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the subnet to the cloud router:

   openstack router add subnet <router> <subnet>

   Specify:

   • <router> — ID or name of the cloud router; you can view it with the command openstack router list;
   • <subnet> — ID or name of the private subnet; you can view it with the command openstack subnet list.

4. Connect a public IP address to the device port in the private subnet

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network section → Private networks tab.
3. Open the network page → Ports tab.
4. In the cloud server or load balancer port card, click Connect public IP.
5. Select a public IP address.
6. Click Connect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the public IP address to the port:

   openstack floating ip set --port <port> <public_ip_address>

   Specify:

   • <port> — the ID of the cloud server or load balancer port; you can view it using the openstack port list command;
   • <public_ip_address> — the ID or public IP address; you can view it using the openstack floating ip list command.

5. Configure a static route to the Internet in the subnet

If you specified a router IP address different from the subnet gateway when connecting the subnet to the cloud router, you must configure a static route in the subnet to the Internet via the cloud router. Specify the following when configuring:

• destination subnet — 0.0.0.0/0;
• gateway (next-hop) — the IP address of the cloud router.

Configure access to and from the Internet via a public subnet

To configure access to and from the Internet via a public subnet, you must connect the device to the public subnet. For a load balancer and Managed Database cluster, this can only be done when creating the load balancer and creating the cluster (example for PostgreSQL). A cloud server can be connected to the public subnet either when creating the server or after it is created — to do this, you need to add the cloud server to the public subnet via a port.⁠

1. Create a public subnet.
2. Add the cloud server to the public subnet via a port.

1. Create a public subnet

Control panel

1. In the Control panel, on the top menu click Products and select Cloud Servers.
2. Go to the Network section → Public Networks tab.
3. Click Create subnet.
4. Select the location where the public subnet will be created.
5. Select the subnet size — the range of IP addresses available in the subnet.
6. Optional: to change DNS servers, click . Enter one to three values. Click .
7. Click Create.

2. Add the cloud server to the public subnet via a port

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Open the server page → Ports tab.
3. Click Add port.
4. Select a public subnet.
5. Enter the port IP address.
6. Click Add port.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a port in the public subnet:

   openstack port create \
     --network <subnet> \
     --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
     <port_name>

   Specify:

   • <subnet> — the ID or name of the public subnet; you can view it using the openstack network list command;
   • <port_ip_address> — the port IP address;
   • <port_name> — the port name.

3. Add the port to the cloud server:

   openstack server add port <server> <port>

   Specify:

   • <server> — the ID or name of the cloud server; you can view it using the openstack server list command;
   • <port> — the ID or name of the port; you can view it using the openstack port list command.

Configure Internet access via a cloud router

You can configure Internet access for devices in a private subnet without external access from the Internet.

To do this, you need to connect a cloud router with Internet access to the private subnet or the global router subnet where the device is located. If the cloud router is connected to the Internet, it functions as a 1:1 NAT for access from the private network to the Internet via the router's external IP address. The external address is only used for device-to-Internet access; you cannot connect to devices in the subnet using it.

1. Create a cloud router with Internet access⁠.
2. Connect the private subnet to the cloud router.
3. If the subnet gateway does not match the cloud router IP address, configure a static route to the Internet in the subnet.

1. Create a cloud router with Internet access⁠

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network section → Cloud Routers tab.
3. Click Create Router.
4. Select the location where the cloud router will be created.
5. Enter the router name.
6. Select the Connect router to the internet checkbox — an external IP address will be assigned to the router.
7. Click Create.

OpenStack CLI

1. Open OpenStack CLI.

2. Create a cloud router:

   openstack router create <router_name>

   Specify:

   • <router_name> — the name of the cloud router; ;
   • optional: --availability-zone-hint <availability_zone> — if the router is being created in the multi-zone pool ru-6, this allows you to select the availability zone where the router will be created. The <availability_zone> parameter is the pool segment, for example, ru-6a.

3. Connect the cloud router to the internet — an external IP address will be assigned to the router:

   openstack router set --external-gateway external-network <router>

   Specify <router> — the ID or name of the cloud router; you can view it using the openstack router list

2. Connect the subnet to the cloud router

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Cloud Routers tab.

3. Open the router page.

4. Click Connect subnet.

5. Select a private subnet or a global router subnet.

6. Optional: enter the router IP address—any available IP address from the subnet. If you do not specify an IP address, one will be automatically selected from the available addresses in the subnet.

   For devices in the subnet to access the internet without additional routes, the cloud router IP address must match the private subnet gateway. If the subnet gateway is already in use, you will need to configure a static route to the internet in the subnet via the cloud router.

   You can view the subnet gateway in the control panel: in the top menu, click Products → Cloud Servers → Network → tab Private networks → network page → tab Subnets → subnet card → block Automatic network settings → field Subnet gateway.

7. Click Connect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the subnet to the cloud router:

   openstack router add subnet <router> <subnet>

   Specify:

   • <router> — ID or name of the cloud router; you can view it with the command openstack router list;
   • <subnet> — ID or name of the private subnet; you can view it with the command openstack subnet list.

3. Configure a static route to the Internet in the subnet

If you specified a router address different from the subnet gateway when connecting the subnet to the cloud router, you must configure a static route in the subnet to the Internet via the cloud router. Specify the following when configuring:

• destination subnet — 0.0.0.0/0;
• gateway (next-hop) — the IP address of the cloud router.