Basic networking

The connectivity between elements in the cloud and to external networks is created with the objects network, subnet and router. The topology can also be protected by a bastion host with security features such as firewalls and software for attack prevention.


The procedure to set up a private network with with a router to the Internet (represented by an external network) comprises the steps

  1. Create a network

  2. Create a subnet of the network with a private IP range

  3. Create a server with a NIC attached to the subnet

  4. Create router

  5. Add the subnet to the router

  6. Set external gateway

Create network and subnet

When creating a tenant, a local network and subnet may already have been created by default. If there is no such network, or if another network is needed, follow the steps described in this section.

First, in Horizon or from CLI, create a network with a different subnet address range in CIDR notation, for example

The command to create the network is

openstack network create <network-name>

DNS addresses can be assigned directly to the subnet. It is convenient to use the Google addresses and, but any other DNS IP addresses can be used. The subnet with CIDR and DNS addresses can then be created by the command

openstack subnet create --subnet-range --dhcp --network <network-name> --dns-nameserver --dns-nameserver <subnet-name>

In Horizon, select Network/Networks/Create Network to open a dialog window. Choose a network name, and define a subnet by specifying a name and the CIDR IP address range (Figure 1 and 2). Under Subnet Details, enter DNS addresses (Figure 3). Press Create to execute.

Figure 1. Create network - network name.
Figure 2. Create network - CIDR for IPv4.
Figure 3. Create network - DNS name servers.

On any VM, it is possible to configure more than a single network interface controller (NIC). In a physical server, multiple IP addresses are often assigned to a single NIC. The physical limitation is the number of NIC card slots in the server. For virtual NICs, however, no such limitation exists, so a NIC can be added for each IP address. The limitation in the virtualized cloud is the number of PCI bus addresses. This limit can be reached when a server supports multiple domains with separate public IP addresses.

Create router

When creating a tenant, a router may already have been created by default. If there is no router, follow the steps in this section.

Please note that in the Beryllium environment, the router cannot be connected to the gateway if a different network router is already connected to it. In other words, the user is not allowed to attach additional ports to an external network.

At this point, we assume that we have a server <server> connected to the subnet <subnet-name>, see Create and manage virtual machines

The router is created by

openstack router create <router-name>

and the local network, or “near end” is connected by adding the subnet

openstack router add subnet <router-name> <subnet-name>

Finally, router connectivity to the Internet is created by setting the external gateway represented by the external network in the tenant

openstack router set <router-name> --external-gateway <external-network>

In Horizon, a router can be created under Network/Routers (Figure 4), after specifying a name and external network.

Figure 4. Create router - name and external network.

After creating the router, click on the router name under Network/Routers and go to the tab Interfaces to add an existing subnet by clicking the button Add Interface (Figure 5).

Figure 5. Add interface to router.

In the menu, select an existing subnet and click Submit (Figure 6).

Figure 6. Add subnet to router.

The router details should now look like in Figure 7.

Figure 7. Configure router - show interface details.

To any chosen instance, it is now possible to attach a new NIC. In Horizon, this action has the menu entry Attach Interface under Instances/Actions (Figure 8).

Figure 8. Attach interface to server.

From the drop-down menu, select the same network just created. To test the NIC, you can verify the connection by pinging the router from the instance


assuming that the router has been assigned IP address (by default the first address in the private IP address range).

Manage floating IP associations

To assign a floating IP address to an instance, first it has to be assigned and associated. List the status of available floating IPs by

openstack floating ip list

If the list is empty, an IP address has to be assigned from <external-network> by

openstack floating ip create <external-network>

Now, associate a floating IP address with an instance by

openstack server add floating ip <server> <ip-address>

The association can then be verified by

openstack floating ip show <ip-address>

Due to the nature of floating IPs These changes take effect immediately.

A floating IP can be associated and disassociated from Networks/Floating IPs (see Figure 9).

Figure 9. Association and disassociation of floating IP.

To associate a non-mapped floating IP to an port on an instance, click on Associate to open the association menu (Figure 10), select desired instance interface, and click Associate.

Figure 10. Association of floating IP to port.

To disassociate a floating IP address from a server, use

openstack server remove floating ip <server> <ip-address>

After this, the same IP address will be available for other associations. In orchestration, floating IPs are usually created from the IP address pool associated with the external network. It is therefore advisable to return unused IP addresses to the pool with

openstack floating ip delete <ip-address>