Private networks and subnets

Private networks are L2 network segments. In each private network, at least one private subnet must be created. Private subnets are ranges of private IP addresses at the L3 level, limited by the CIDR size. If devices are in different private subnets of the same private network, they can communicate directly.

Subnets with the same prefixes (masks) can exist within different private networks, but within a single network, subnet prefixes must be unique. By default, private networks and subnets do not have access to or from the internet, and public addressing cannot be used in them.

For private subnets from different networks to communicate, they must be connected to a single cloud router. To organize L3 network connectivity between devices in different pools (including across different projects and accounts) or between different services, you must connect private subnets to a global router. The addresses of subnets connected to the same router (cloud or global) must not overlap.

In a private network, you can configure DNS so that devices within it can communicate using domain names instead of IP addresses.

By default, private networks and their subnets can only be used within a single project and a single pool. You can configure shared access to the private network across different projects within the same account.

Private subnets have traffic volume limits—bandwidth. You can view it in the Bandwidth table. The default MTU is 1 500 B; you can change the MTU in a private network.

You can work with private subnets and networks in the control panel, using the OpenStack CLI or Terraform.

Automatic private subnet settings

Default settings for a private subnet are specified: a default gateway and public DNS servers. If you add a device to an existing subnet, the settings are applied to it automatically. If you have changed the settings of a subnet that already contains devices, you must update the network settings on all devices in the subnet to apply the changes.

Default gateway

When creating a private subnet, the first free IP address is reserved for the default gateway. For example, for a subnet with CIDR 192.168.0.0/24, 192.168.0.1 will be reserved for the gateway. The default gateway can be changed when creating a subnet or changed after creation.

DNS servers

When you create a private subnet, the public Servercore DNS servers are automatically configured for devices in the subnet. DNS servers can be changed when creating a subnet or changed after creation.

Static routes

By default, no static routes are specified in subnets. For private subnets, you can configure static routes.

Create a private network

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Click Create network.
4. Select a location where the private network will be created.
5. Enter the network name.
6. Optional: enter a comment for the network.
7. Enter the subnet CIDR — the range of IP addresses available in the subnet.
8. Optional: to change the default gateway IP address, click . Enter the value. Click .
9. Optional: to change the DNS servers, click . Enter from one to three values. Click .
10. Optional: to enable DHCP, check the Enable DHCP box.
11. Optional: to add another subnet, click Add subnet and repeat steps 7-10.
12. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a private network:

   openstack network create <network_name>

   Specify <network_name> — the private network name.

3. Add a subnet to the private network.

Add a subnet to the private network

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Open the network page → Subnets tab.
4. Click Create subnet.
5. Enter the subnet CIDR — the range of IP addresses available in the subnet.
6. Optional: change the default gateway IP address.
7. Optional: change the DNS servers. Enter from one to three values.
8. Optional: to enable DHCP, check the Enable DHCP box.
9. Click .

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a subnet in the private network:

   openstack subnet create \
     --subnet-range <cidr> \
     [--dhcp  | --no-dhcp] \
     --gateway <gateway> \
     --network <network> \
     <subnet_name>

   Specify:

   • <cidr> — the private subnet CIDR, for example 192.168.0.0/24;
   • DHCP option:
     • --dhcp — enable DHCP;
     • --no-dhcp — disable DHCP;
   • <gateway> — the IP address of the default gateway, for example 192.168.0.2;
   • <network> — the private network ID or name, which you can look up using the openstack network list command.
   • <subnet_name> — the private subnet name.

Configure access to the private network in different projects

By default, a private network can only be used within a single project and a single pool. You can configure shared access to the private network across different projects within the same account. The network will still only be available within one pool.

The private network will have a Cross-project tag. You will only be able to manage the network in the project where the subnet is located.

If you need to combine private networks from different pools (including across different projects and accounts), connect the private network to a global router.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Copy the ID of the recipient project that you want to share the network with. To do this, open the projects menu (the current project name) and in the project row, click .
4. Make sure you are in the project where the network is located.
5. Open the network page → Projects tab.
6. Click Add project.
7. Paste the ID of the recipient project that you copied in step 3.
8. Click .

Enable DHCP in a private subnet

The DHCP protocol can be used for automatic network configuration on devices. It allows devices in a private subnet to automatically receive IP addresses, a subnet mask, a default gateway, DNS server addresses, and static routes. Devices in a subnet with DHCP enabled will automatically request settings from the DHCP server: upon enabling a network interface or when the address lease expires (default is 24 hours).

When you enable DHCP in a subnet, two ports for DHCP servers will be created: for the primary and for the standby. The first two free IP addresses in the subnet will be reserved for those ports. For example, for a subnet with CIDR 192.168.0.0/24, 192.168.0.2 and 192.168.0.3 will be reserved

DHCP in a private subnet can be enabled when creating a private network, adding a subnet to a network, or for an existing private subnet.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Open the private network page → Subnets tab.
4. In the subnet card, open the Automatic network settings block.
5. Turn on the DHCP server toggle.

OpenStack CLI

1. Open the OpenStack CLI.

2. Enable DHCP in the private subnet:

   openstack subnet set --dhcp <subnet>

   Specify <subnet> — the private subnet ID or name, which you can look up using the openstack subnet list command.

Disable DHCP in a private subnet

When you disable DHCP in a private subnet, two IP addresses that were reserved for DHCP servers are released.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Open the private network page → Subnets tab.
4. In the subnet card, open the Automatic network settings block.
5. Turn off the DHCP server toggle.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disable DHCP in the private subnet:

   openstack subnet set --no-dhcp <subnet>

   Specify <subnet> — the private subnet ID or name, which you can look up using the openstack subnet list command.

Change the default gateway in a private subnet

When creating a private subnet, the first free IP address is reserved for the default gateway. For example, for a subnet with CIDR 192.168.0.0/24, 192.168.0.1 will be reserved.

The default gateway can be changed when creating a private network, adding a subnet to the network, or for an existing private subnet.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Open the private network page → Subnets tab.
4. In the subnet card, open the Automatic network settings block.
5. In the Subnet gateway field, click .
6. Enter a new value for the default gateway IP address.
7. Click .
8. Apply the changes. To do this, update the network settings on the devices in the subnet.

OpenStack CLI

1. Open the OpenStack CLI.

2. Delete the existing pool of allocated IP addresses in the private subnet and add a new pool without the default gateway IP address:

   openstack subnet set \
     --no-allocation-pool \
     --allocation-pool start=<first_pool_ip_address>,end=<last_pool_ip_address> \
     <subnet>

   Specify:

   • <first_pool_ip_address> — the first IP address of the new pool;
   • <last_pool_ip_address> — the last IP address of the new pool. You can add multiple pools — each pool is added using the --allocation-pool start=<first_pool_ip_address>,end=<last_pool_ip_address> command;
   • <subnet> — the private subnet ID or name, which you can look up using the openstack subnet list command.

3. Specify a new default gateway IP address:

   openstack subnet set --gateway <gateway> <subnet>

   Specify <gateway> — the default gateway IP address, for example 192.168.0.5.

   Example of changing the gateway IP address to 192.168.0.5:

   openstack subnet set \
     --no-allocation-pool \
     --allocation-pool start=192.168.0.1,end=192.168.0.4 \
     --allocation-pool start=192.168.0.6,end=192.168.0.254 \
     --gateway 192.168.0.5 \
     1c6e70ea-db7e-4d2f-bf76-4cab8f0cf52a

4. Apply the changes. To do this, update the network settings on the devices in the subnet.

Change DNS servers in a private subnet

When you create a private subnet, the public recursive Servercore DNS servers are automatically configured. DNS servers can be changed when creating a private subnet and adding a subnet to a network or for an existing private subnet.

To change DNS servers in a global router subnet, create a ticket.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Open the private network page → Subnets tab.
4. In the subnet card, open the Automatic network settings block.
5. In the DNS server addresses field, click .
6. Enter from one to three values.
7. Click .
8. Apply the changes. To do this, update the network settings on the devices in the subnet.

OpenStack CLI

1. Open the OpenStack CLI.

2. If you need to completely replace the list of DNS servers, delete the IP addresses of the specified DNS servers and add new ones:

   openstack subnet set \
     --no-dns-nameservers \
     --dns-nameserver <dns_server> \
     <subnet>

   Specify:

   • <dns_server> — the DNS server IP address. You can add multiple DNS servers — each is added using the --dns-nameserver <dns_server> command;
   • <subnet> — the private subnet ID or name, which you can look up using the openstack subnet list command.

   Example of changing default DNS servers to 192.0.2.3 and 192.0.2.4:

   openstack subnet set \
     --no-dns-nameservers \
     --dns-nameserver 192.0.2.3 \
     --dns-nameserver 192.0.2.4 \
     <subnet>

3. If you need to supplement the list of DNS servers, add the IP addresses of the new DNS servers:

   openstack subnet set \
     --dns-nameserver <dns_server> \
     <subnet>

   Specify:

   • <dns_server> — the DNS server IP address. You can add multiple DNS servers — each is added using the --dns-nameserver <dns_server> command;
   • <subnet> — the private subnet ID or name, which you can look up using the openstack subnet list command.

4. Apply the changes. To do this, update the network settings on the devices in the subnet.

Connect a subnet to a cloud router

For private subnets from different networks to communicate, they must be connected to one cloud router. Subnets must not overlap — they must not contain the same IP addresses.

To configure internet access to and from devices in private subnets using a cloud router, follow the instructions in Configure internet access to and from the network.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to Network → Private networks tab.

3. Open the network page → Subnets tab.

4. In the subnet card, in the Cloud router field, click Connect. If the subnet is already connected to a cloud router, you can connect it to another cloud router via the router card.

5. Select a cloud router — either an existing one or a new one.

6. Optional: if the router will be used for internet access, check the Connect to internet box. If the router is already connected to the internet, the checkbox is not displayed.

7. If you chose to create a new router, configure it:

   7.1. Enter the router name.

   7.2. Optional: enter the router IP address. If you do not specify an IP address, one will be automatically selected from the available addresses in the subnet. The cloud router IP address must match the default gateway of the private subnet. You can view the gateway in the control panel: on the top menu, click Products → Cloud Servers → Network → Private networks tab → network page → Subnets tab → subnet card → Automatic network settings block → Subnet gateway field.

8. Click Connect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect a subnet to the cloud router:

   openstack router add subnet <router> <subnet>

   Specify:

   • <router> — the cloud router ID or name, which you can look up using the openstack router list command;
   • <subnet> — the private subnet ID or name, which you can look up using the openstack subnet list command.

Disconnect a subnet from the cloud router

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to Network → Private networks tab.
3. Open the private network page → Ports tab. Ports used by cloud routers are marked with a Router tag.
4. In the row for the cloud router port to which the subnet is connected, click .
5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the subnet from the cloud router:

   openstack router remove subnet <router> <subnet>

   Specify:

   • <router> — the cloud router ID or name, which you can look up using the openstack router list command;
   • <subnet> — the subnet ID or name, which you can look up using the openstack subnet list command

Connect a private network to a global router

When you connect a private network to a global router, all subnets belonging to this network will be connected to it. All subnets will communicate at the L3 level.

The private network will have a Global router tag. You will only be able to manage the global router network and subnets in the global router section in the control panel: on the top menu, click Products → Global router.

Three service ports for network equipment will be automatically created in the global router subnet.

Control panel

1. Ensure that the subnets in the private network meet the following conditions:

   • belong to the RFC 1918 private address range: 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16;
   • must be at least /29, as three addresses will be occupied by Servercore network equipment;
   • do not overlap with other networks and subnets connected to this global router (IP addresses in the subnets must not coincide);
   • if a Managed Kubernetes cluster on cloud servers is added to the global router network, the subnet must not overlap with the 10.10.0.0/16, 10.96.0.0/12, 10.250.0.0/16 and 10.251.0.0/24 ranges. If a cluster on dedicated servers is added to the network — with the 10.10.0.0/16, 10.222.0.0/16, 10.250.0.0/16, 10.251.0.0/24 and 172.250.0.0/14 ranges. These subnets are used for internal Managed Kubernetes addressing, and their use may cause network conflicts in the global router.

2. In the Control panel, on the top menu, click Products → Cloud Servers.

3. Go to Network → tab Private networks.

4. In the network menu, select Connect to Global Router.

5. Select an existing global router or create a new one.

6. For each subnet, enter the gateway IP address that will be assigned to the global router. Do not assign this address to devices to avoid disrupting network operation.

7. Optional: change the service IP addresses that are assigned automatically for global router redundancy.

8. Click Connect. Do not close the window until the network is connected.

Disconnect a private network from a global router

Control panel

1. In the Control panel, on the top menu, click Products → Cloud Servers.
2. Go to Network → tab Private networks.
3. In the network menu, select Disconnect from Global Router.
4. Enter the network name to confirm disconnection.
5. Click Disconnect. Do not close the window until the network is disconnected.

Change MTU in a private network

When creating a private network, a standard MTU of 1 500 B is set; you can change the MTU.

Cloud Router accepts packets no larger than 1 500 B; larger packets are dropped. If you set the network MTU to more than 1 500 B, you must reduce packet sizes to 1 500 B when sending traffic from this network to the Cloud Router. For example, you can use PMTUD for this. This limitation does not apply to TCP protocol delivery.

Global Router accepts packets of up to 8 500 B.

OpenStack CLI

1. Open OpenStack CLI.

2. Specify the new MTU value in the network:

   openstack network set \
     --mtu <mtu> \
     <network>

   Specify:

   • <mtu> — the new MTU value in B; the maximum value is 8500;
   • <network> — the private network ID or name, which can be viewed using the openstack network list.

3. Apply the changes. To do this, update the network settings on the devices in the network. You can view the list of devices in the network in the Control panel: in the top menu click Products → Cloud Servers → Network → tab Private networks → private network page → tab Ports.

View private network metrics

You can view private network metrics for a cloud server as charts in the control panel.

If no cloud server is added to the private network, metrics are not collected. To collect network metrics, add a cloud server to the subnet via a port.

Values for all metrics are collected every minute. If you have just connected a private network to a cloud server, the first metric values will appear in a few minutes.

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to Network → tab Private networks.

3. Open the private network page → tab Metrics.

4. Optional: filter the metrics:

   3.1. Select a preset range or specify the period for which you need the metrics.

   3.2. Select UTC time or Local time for the displayed metric time.

5. View the charts of available network metrics:

   • incoming traffic rate in bits per second;
   • outgoing traffic rate in bits per second;
   • incoming traffic rate in packets per second;
   • outgoing traffic rate in packets per second.

Delete a private network or subnet

Devices that prohibit the deletion of a network or subnet

A private network or private subnet cannot be deleted if the network is connected to a global router, DHCP is enabled in the subnet, or there are devices that prohibit deletion:

• a Cloud Router that receives traffic for a public IP address of one of the devices in the network;
• a Cloud Router that uses a subnet port in static routes;
• database cluster;
• Managed Kubernetes cluster;
• file storage;
• cloud load balancer.

When deleting a subnet or network via the Control panel, you must delete these devices, disconnect the subnet from the global router, and disable DHCP. When deleting via OpenStack CLI, you must delete all network or subnet ports.

Delete a private subnet

When deleting a private subnet, you must delete all ports in it.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to Network → tab Private networks.

3. If the private network card has the Global Router tag, disconnect it from the global router:

   3.1. In the network menu, select Disconnect from Global Router.

   3.2. Enter the network name to confirm disconnection.

   3.3. Click Disconnect. Do not close the window until the network is disconnected.

4. If DHCP is enabled in the subnet, disable it:

   4.1. Open the private network page → tab Subnets.

   4.2. In the subnet card, open the Automatic network settings block.

   4.3. Turn off the DHCP server toggle.

5. Open the private network page → tab Ports.

6. Delete all subnet ports. To do this, in the row for each port, click .

7. If the button is inactive in the port card, a device that prohibits deletion is connected to the port. Delete this device and return to step 1.

   Use the following instructions to delete a device:

   • delete the Cloud Router;
   • delete the Managed Kubernetes cluster;
   • delete the file storage;
   • delete the load balancer.

8. Open the Subnets tab.

9. In the subnet card, click .

10. Click Delete.

11. Click Delete.

OpenStack CLI

1. Open OpenStack CLI.

2. Delete all ports in the private subnet:

   openstack port delete <port>

   Specify <port> — the port ID or name, which can be viewed using the openstack port list.

3. Delete the private subnet:

   openstack subnet delete <subnet>

   Specify <subnet> — the private subnet ID or name, which can be viewed using the openstack subnet list.

Delete a private network

Along with the network, the subnets created within it will be deleted.

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to Network → tab Private networks.

3. If the network card has the Global Router tag, disconnect it from the global router:

   3.1. In the network menu, select Disconnect from Global Router.

   3.2. Enter the network name to confirm disconnection.

   3.3. Click Disconnect. Do not close the window until the network is disconnected.

4. If DHCP is enabled in the network subnets, disable it:

   4.1. Open the network page → tab Subnets.

   4.2. In the subnet card, open the Automatic network settings block.

   4.3. Turn off the DHCP server toggle.

   4.4. If the network contains multiple subnets, repeat steps 4.1-4.3 for each of them.

5. Ensure that there are no devices that prohibit network deletion in the network:

   5.1. Open the network page → tab Ports.

   5.2. If the button is inactive in the port card, a device that prohibits network deletion is connected to the port. Delete this device and return to step 1.

   Use the following instructions to delete a device:

   • delete the Cloud Router;
   • delete the Managed Kubernetes cluster;
   • delete the file storage;
   • delete the load balancer.

6. On the top menu, click Products and select Cloud Servers.

7. Go to Network → tab Private networks.

8. In the network menu, select Delete network.

OpenStack CLI

1. Open OpenStack CLI.

2. Delete all ports in the subnets belonging to the network:

   openstack port delete <port>

   Specify <port> — the port ID or name, which can be viewed using the openstack port list.

3. Delete the private network:

   openstack network delete <network>

   Specify <network> — the private network ID or name, which can be viewed using the openstack network list.