There is a number of ways to provide servers with internet access. For outbound traffic, this can be achieved with a floating IP, a proxy server or through the activated SNAT-as-a-Service for internet. Whereas a floating IP is a associated to a single instance, multiple instances can share the SNAT service.


The SNAT service has be be activated by project administration and is visible to the OpenStack user as a logical router.

SNAT activation

The SNAT service is implemented by a logical router which is a separate node from the project local router. It is visible in the list of routers as snat_juice_<project-name>_external_internet_provider_x (Figure 1).

Figure 1. List of routers in the project.

Router configuration

First, the local network and subnet are created as described in

After the SNAT service has been enabled (by the project administrator), outbound internet access is provided to project instances after adding the subnet to the SNAT logical router:

openstack router add subnet <router-id> <subnet-id>


To test the SNAT service, SSH access to an instance on the SNAT enabled local network is needed, such as by SSH proxy command through another instance with a floating IP.

No configuration is needed on the instance, provided that DNS server information has been added to the subnet declaration. A ping or curl to a public IP address would verify its operation. The SNAT is therefore easier to set up and use than a proxy server, see