Allocating and Assigning Floating IPs in OpenStack
Introduction
Floating IPs provide external network access to your OpenStack instances, allowing them to communicate with the internet and be reached from outside your private cloud network. Without a floating IP, instances remain isolated on private networks accessible only within your project.
This guide walks through the complete process of allocating floating IPs from the available pool, associating them with instances or specific ports, managing their lifecycle, and understanding the networking prerequisites that make floating IPs work correctly.
Understanding Floating IPs vs Fixed IPs
Before allocating floating IPs, you need to understand the difference between fixed IPs and floating IPs in OpenStack networking.
Fixed IPs are IP addresses automatically assigned when you attach an instance to a network. These addresses come from the subnet's CIDR range and remain stable throughout the instance lifecycle. The type of Fixed IP assigned depends on the network the instance is attached to: instances attached to private networks receive private Fixed IPs, while instances attached to public/external networks receive public Fixed IPs. Private Fixed IPs allow instances to communicate within your private network but cannot be accessed from the internet without a floating IP.
Floating IPs are public IP addresses allocated from an external network pool. These addresses can be associated with and disassociated from instances dynamically, allowing you to move public access between instances without reconfiguring external DNS or firewall rules.
The key distinction is that fixed IPs provide internal connectivity while floating IPs provide external accessibility. Every instance needs at least one fixed IP, but floating IPs are optional and only required when external access is necessary.
Why Floating IPs Require a Router with External Gateway
A common source of confusion is discovering that floating IPs do not work without proper network infrastructure in place. Specifically, your project network must be connected to an external network through a router configured with an external gateway.
How Floating IP Traffic Flows
When external traffic arrives at a floating IP, OpenStack uses network address translation (NAT) at the router level to forward packets to the instance's fixed IP on the private network. Without a router connecting your private network to the external network, this NAT translation cannot occur and traffic never reaches your instance.
Think of the router as a bridge between two separate network domains. The external network exists outside your project with public IP addresses. Your private network exists within your project with RFC 1918 private addresses. The router connects these domains and performs the NAT translation that makes floating IPs functional.
Verifying Router Configuration
Before allocating floating IPs, verify that your project has a router with an external gateway configured. In Horizon, navigate to Project > Network > Routers and check that your router shows an external gateway IP address. If no router exists or the router lacks an external gateway, floating IPs will allocate successfully but will not route traffic.
Creating the network infrastructure is typically done during initial project setup. If you are unsure whether your networking is configured correctly, allocate a test floating IP and attempt to ping it from an external host. If the ping fails, review your router configuration.
How to Allocate a Floating IP in Horizon Dashboard
Horizon dashboard provides a visual interface for managing floating IPs, making it easy to see which IPs are available, allocated, or associated with instances.
Allocating a Floating IP from the Pool
- Log into the Horizon dashboard
- Navigate to Project > Network > Floating IPs
- Click the Allocate IP To Project button in the upper right
- In the allocation dialog, select the pool from which to allocate the IP
- The pool dropdown typically shows the name of your external network
- Leave the description field empty or add a note about intended usage
- Click Allocate IP
The floating IP appears in the list with a status of "Down" and no associated instance. The IP is now reserved for your project and will not be allocated to other projects until you release it back to the pool.
Viewing Allocated Floating IPs
The floating IPs table shows all IPs allocated to your project with the following information:
IP Address - The public IP address allocated from the external network pool
Mapped Fixed IP Address - The Fixed IP of the instance currently associated with this floating IP, or blank if unassociated
Status - Either "Active" when associated with a running instance or "Down" when unassociated
Pool - The external network pool from which this IP was allocated
Actions - Available operations like Associate, Disassociate, and Release
How to Associate a Floating IP with an Instance in Horizon Dashboard
After allocating a floating IP, you need to associate it with an instance to enable external access.
Associating via Floating IPs Page
- Log into the Horizon dashboard
- Navigate to Project > Network > Floating IPs
- Locate the unassociated floating IP in the list
- Click the Associate button in the Actions column
- In the association dialog, select the target instance from the Port to be associated dropdown
- The dropdown shows available instances and their fixed IP addresses
- If an instance has multiple network interfaces, each appears as a separate option
- Select the desired instance and fixed IP combination
- Click Associate
The floating IP status changes to "Active" and the Mapped Fixed IP Address column shows which instance fixed IP is associated.
Associating via Instance Actions
You can also associate floating IPs directly from the instances list:
- Navigate to Project > Compute > Instances
- Locate the target instance in the instances list
- Click the dropdown arrow on the right side of the instance row
- Select Associate Floating IP from the dropdown menu
- In the association dialog, use the IP Address dropdown to select an available floating IP
- If no floating IPs are available, click the + button to allocate a new IP
- The Port to be associated field auto-selects the instance's primary network interface
- If the instance has multiple interfaces, select the correct one from the dropdown
- Click Associate
This approach works well when you are already working with instances and need to quickly assign external access.
How to Associate a Floating IP with a Specific Port in Horizon Dashboard
OpenStack allows associating floating IPs with specific network ports rather than instances directly. This approach provides more control when instances have multiple network interfaces.
Understanding Ports vs Instances
In OpenStack networking, ports represent the virtual network interface connection between an instance and a network. When you attach an instance to a network, OpenStack creates a port with a fixed IP address. Instances with multiple network interfaces have multiple ports, each with its own fixed IP.
Associating a floating IP with a specific port gives you precise control over which network interface receives external traffic. This matters for instances configured with separate interfaces for management traffic, application traffic, and storage traffic.
Associating to a Specific Port
- Log into the Horizon dashboard
- Navigate to Project > Network > Floating IPs
- Click the Associate button for the floating IP
- In the Port to be associated dropdown, review the available ports
- Each port shows the instance name and fixed IP address in the format:
instance-name: 10.0.0.5 - Select the port that corresponds to the network interface you want to expose externally
- Click Associate
If you need to identify which port corresponds to which interface on a multi-homed instance, navigate to Project > Network > Networks, click the network name, and review the ports table to see the port IDs and their assigned fixed IPs.
How to Disassociate a Floating IP in Horizon Dashboard
Disassociating a floating IP removes external access to the instance but keeps the floating IP allocated to your project for future use.
Disassociating a Floating IP
- Log into the Horizon dashboard
- Navigate to Project > Network > Floating IPs
- Locate the associated floating IP you want to disassociate
- Click the Disassociate button in the Actions column
- Confirm the disassociation in the confirmation dialog
The floating IP status changes to "Down" and the Mapped Fixed IP Address column becomes empty. The IP remains allocated to your project and available for association with other instances.
When to Disassociate
Use disassociation when you need to temporarily remove external access to an instance without releasing the IP address. Common scenarios include performing maintenance that requires isolating the instance from external traffic, reassigning the floating IP to a different instance in a failover scenario, or troubleshooting network issues by eliminating external traffic as a variable.
Disassociating a floating IP does not affect the instance's internal network connectivity or its fixed IP addresses. Internal communication within your private network continues uninterrupted.
How to Release a Floating IP in Horizon Dashboard
Releasing a floating IP returns it to the external network pool, making it available for allocation by other projects or users.
Releasing a Floating IP
- Log into the Horizon dashboard
- Navigate to Project > Network > Floating IPs
- If the floating IP is currently associated, disassociate it first using the process above
- Locate the unassociated floating IP you want to release
- Click the Release Floating IP button in the Actions column
- Confirm the release in the confirmation dialog
The floating IP disappears from your project's floating IPs list and returns to the available pool. You cannot retrieve this specific IP address again unless you happen to allocate it in a future allocation.
When to Release
Release floating IPs when you no longer need external access to specific instances or when you are decommissioning infrastructure. Releasing unused floating IPs prevents you from being billed for reserved but unutilized public IP addresses.
Many OpenStack deployments charge for floating IP allocations regardless of whether the IPs are associated with running instances. Releasing IPs you do not actively need reduces unnecessary costs.
Before releasing a floating IP, verify that no external services or DNS records point to that IP address. Releasing an IP that is still referenced in external systems will break connectivity and cause service disruptions.
How to Manage Floating IPs Using OpenStack CLI
The OpenStack CLI provides direct access to floating IP management functions and enables automation through shell scripts or configuration management tools.
Allocating a Floating IP
List available external networks to identify the pool:
1openstack network list --external
Allocate a floating IP from a specific external network:
1openstack floating ip create <external-network-name>
Allocate with a description:
1openstack floating ip create --description "Production web server" <external-network-name>
The command returns details about the allocated IP including the floating IP address, the external network it came from, and its current status.
Listing Floating IPs
List all floating IPs allocated to your project:
1openstack floating ip list
Show detailed information about a specific floating IP:
1openstack floating ip show <floating-ip-address>
The detailed view includes the associated fixed IP address, port ID, router ID, and project ID information useful for troubleshooting networking issues.
Associating a Floating IP with an Instance
Method 1: Associate using instance name:
1openstack server add floating ip <instance-name> <floating-ip-address>
Method 2: Associate with a specific port:
First, identify the port ID for the target network interface:
1openstack port list --server <instance-name>
Then associate the floating IP with that specific port:
1openstack floating ip set --port <port-id> <floating-ip-address>
The port-based method gives you precise control when instances have multiple network interfaces and you need to specify which interface should receive the floating IP.
Disassociating a Floating IP
Method 1: Disassociate using instance name:
1openstack server remove floating ip <instance-name> <floating-ip-address>
Method 2: Disassociate by unsetting the port:
1openstack floating ip set --no-port <floating-ip-address>
Both methods disassociate the floating IP from the instance but keep the IP allocated to your project.
Releasing a Floating IP
Release a floating IP back to the pool:
1openstack floating ip delete <floating-ip-address>
Ensure the floating IP is disassociated before attempting to release it. If the IP is still associated, either disassociate it first or use the --force option to disassociate and delete in one operation.
Automating Floating IP Management
The CLI commands can be combined in shell scripts to automate floating IP allocation and assignment during instance provisioning:
1#!/bin/bash2# Allocate floating IP3FLOATING_IP=$(openstack floating ip create external-network -f value -c floating_ip_address)45# Launch instance6openstack server create --flavor m1.small --image ubuntu-22.04 --network private-network web-server78# Wait for instance to become active9openstack server wait web-server --active1011# Associate floating IP12openstack server add floating ip web-server $FLOATING_IP1314echo "Instance accessible at $FLOATING_IP"
This pattern streamlines deployment workflows by eliminating manual steps.
Troubleshooting Common Floating IP Issues
Floating IP Not Reachable After Association
If you cannot reach an instance after associating a floating IP, verify the following:
Check security group rules. Ensure the instance's security groups allow inbound traffic on the ports you are trying to reach. By default, security groups block all inbound traffic.
Verify router configuration. Confirm that your project router has an external gateway configured. Without a gateway, floating IPs will associate but traffic will not route.
Test instance connectivity from internal network. Connect to another instance on the same private network and attempt to reach the target instance using its fixed IP. If internal connectivity works but floating IP access fails, the issue is with external routing or security groups.
Check for conflicting floating IPs. Ensure that the floating IP is not accidentally associated with multiple instances, which can occur when using CLI commands incorrectly.
Cannot Allocate Floating IP
If floating IP allocation fails, the external network pool may be exhausted. Contact your cloud administrator to verify that floating IPs are available in the external network pool.
Some OpenStack deployments restrict floating IP allocation based on project quotas. Check your quota using openstack quota show to verify that you have not exceeded your floating IP allocation limit.
Floating IP Shows as "Down" When Associated
A floating IP showing "Down" status while associated to an active instance usually indicates that the instance itself is not responding. Verify that the instance is in the "Active" state and that the guest operating system has finished booting.
Check the instance console log for boot errors and confirm that network interfaces inside the instance are configured correctly. The instance must be actively running and have proper network configuration for the floating IP to show as "Active".
Best Practices for Floating IP Management
Follow these best practices to use floating IPs efficiently and avoid common issues:
Allocate floating IPs only when external access is required. Not every instance needs a floating IP. Use floating IPs for instances that must be accessible from the internet, such as web servers, VPN endpoints, or bastion hosts. Keep application servers and databases on private networks accessed through internal routing.
Use descriptive names or tags for floating IPs. When allocating floating IPs via CLI, include descriptions that indicate the intended purpose. This helps identify which IPs can be safely released during cleanup operations.
Document floating IP assignments. Maintain records of which floating IPs are assigned to which services. When staff turnover occurs or projects evolve over time, this documentation prevents confusion and accidental service disruptions.
Implement proper security groups before associating floating IPs. Configure security group rules to restrict access to only necessary ports before making an instance publicly accessible. Never associate a floating IP to an instance with wide-open security groups.
Plan for floating IP failover. In high availability scenarios, design your infrastructure so floating IPs can be quickly reassigned to standby instances. Test failover procedures to ensure you can move floating IPs between instances within your target recovery time.
Release unused floating IPs promptly. Review allocated floating IPs regularly and release any that are not actively in use. This reduces costs and returns IPs to the pool for other projects.
Consider DNS integration. Rather than distributing floating IP addresses directly to users, configure DNS records that point to your floating IPs. This allows you to change the underlying IP address by reassigning the floating IP without requiring users to update bookmarks or connection strings.
Summary
Floating IPs provide the external network access that makes OpenStack instances reachable from the internet. Understanding the distinction between fixed IPs and floating IPs, ensuring proper router configuration, and following allocation and association procedures correctly ensures your instances have the connectivity they need.
The Horizon dashboard offers a visual interface for managing floating IPs, while the OpenStack CLI provides automation capabilities for large-scale deployments. Both approaches give you complete control over allocating IPs from pools, associating them with instances or specific ports, disassociating when external access is no longer needed, and releasing IPs back to the pool to optimize resource usage.
Proper floating IP management combined with appropriate security group configuration and network architecture ensures your OpenStack infrastructure remains both accessible and secure.