Skip to main content
IMHCloud Logo
Back to support home

Setting Up a Private Network with Internet Access in OpenStack

Setting up a private network with internet access in OpenStack is a fundamental networking task that allows your instances to communicate securely within an isolated network while maintaining connectivity to the public internet. This guide walks you through the complete process using both the Horizon dashboard and the OpenStack CLI.

A private network provides isolation and security for your cloud resources, while a router with an external gateway enables outbound internet access. Floating IPs allow inbound access to specific instances when needed. This architecture is essential for production workloads that require both security and connectivity.

Prerequisites

Before you begin, ensure you have:

  • Access to an OpenStack cloud environment
  • Appropriate permissions to create networks, routers, and instances
  • An external network configured by your cloud administrator
  • Basic understanding of networking concepts (subnets, CIDR notation, gateways)

Using the Horizon Dashboard

Step 1: Create a Private Network and Subnet

The first step is to create a private network that will isolate your instances from other tenants and provide a secure communication channel.

  1. Log in to the Horizon dashboard
  2. Navigate to Project > Network > Networks
  3. Click Create Network in the top right
  4. In the Network tab:
  • Network Name: Enter a descriptive name (e.g., "private-network")
  • Enable Admin State: Check this box
  • Create Subnet: Ensure this is checked
  • Click Next
  1. In the Subnet tab:
  • Subnet Name: Enter a name (e.g., "private-subnet")
  • Network Address: Enter a private IP range in CIDR notation (e.g., "192.168.100.0/24")
  • IP Version: Select IPv4
  • Gateway IP: Leave blank to auto-assign, or specify (e.g., "192.168.100.1")
  • Click Next
  1. In the Subnet Details tab:
  • Enable DHCP: Check this box to automatically assign IP addresses
  • Allocation Pools: Optionally specify IP ranges (e.g., "192.168.100.10,192.168.100.200")
  • DNS Name Servers: Enter DNS servers (e.g., "8.8.8.8" and "8.8.4.4" on separate lines)
  • Host Routes: Leave empty unless you need custom routes
  • Click Create

Your private network is now created. You should see it listed in the Networks page.

Step 2: Create a Router and Set the External Gateway

A router connects your private network to the external network, enabling internet access for your instances.

  1. Navigate to Project > Network > Routers
  2. Click Create Router
  3. In the Create Router dialog:
  • Router Name: Enter a descriptive name (e.g., "private-router")
  • Enable Admin State: Check this box
  • External Network: Select the external network from the dropdown (usually named "public" or "external")
  • Availability Zone Hints: Leave default unless specified by your administrator
  • Click Create Router

The router is now connected to the external network, which provides the gateway for outbound internet traffic.

Step 3: Add the Private Subnet as an Interface

Now you need to connect your private network to the router so instances can route traffic through it.

  1. In the Routers list, click on your router name (e.g., "private-router")
  2. Click on the Interfaces tab
  3. Click Add Interface
  4. In the Add Interface dialog:
  • Subnet: Select your private subnet from the dropdown (e.g., "private-subnet: 192.168.100.0/24")
  • IP Address: Leave blank to auto-assign, or specify an IP from your subnet range
  • Click Submit

You should now see the interface listed with an IP address from your private subnet range (typically the gateway IP, e.g., 192.168.100.1).

Step 4: Launch an Instance on the Private Network

With your network infrastructure in place, you can now launch an instance that will use this private network.

  1. Navigate to Project > Compute > Instances
  2. Click Launch Instance
  3. Complete the launch wizard:
  • Details: Provide instance name and select availability zone
  • Source: Select your boot source (image or volume)
  • Flavor: Choose appropriate instance size
  • Networks: Click the + button next to your private network (e.g., "private-network")
  • Security Groups: Select or create appropriate security group (covered in next step)
  • Key Pair: Select your SSH key pair for access
  1. Click Launch Instance

The instance will launch with a private IP address from your subnet range.

Step 5: Create and Configure a Security Group

Security groups act as virtual firewalls, controlling inbound and outbound traffic to your instances.

  1. Navigate to Project > Network > Security Groups
  2. Click Create Security Group
  3. Enter a name and description (e.g., "web-server-sg")
  4. Click Create Security Group
  5. Click Manage Rules for your new security group
  6. Add rules for required traffic:
  • SSH Access: Click Add Rule
    • Rule: SSH
    • Remote: CIDR
    • CIDR: Enter your IP range (e.g., "0.0.0.0/0" for any IP, or restrict to your IP)
    • Click Add
  • HTTP Access (if needed): Click Add Rule
    • Rule: HTTP
    • Remote: CIDR
    • CIDR: 0.0.0.0/0
    • Click Add
  • HTTPS Access (if needed): Follow same process for HTTPS
  • ICMP (Ping): Click Add Rule
    • Rule: All ICMP
    • Direction: Ingress
    • Remote: CIDR
    • CIDR: 0.0.0.0/0
    • Click Add
  1. Associate the security group with your instance:
  • Navigate to Project > Compute > Instances
  • Click the dropdown arrow next to your instance
  • Select Edit Security Groups
  • Move your security group from Available to Instance Security Groups
  • Click Save

Step 6: Allocate and Assign a Floating IP

Floating IPs provide public IP addresses that can be associated with your instances for external access.

  1. Navigate to Project > Network > Floating IPs
  2. Click Allocate IP To Project
  3. In the allocation dialog:
  • Pool: Select the external network
  • Description: Optionally add a description
  • Click Allocate IP
  1. Locate the newly allocated floating IP in the list
  2. Click Associate in the Actions column
  3. In the Manage Floating IP Associations dialog:
  • Port to be associated: Select your instance's private IP from the dropdown
  • Click Associate

Your instance now has both a private IP (for internal communication) and a public floating IP (for external access).

Step 7: Verify Connectivity

Test that your instance has proper network connectivity:

  1. Verify Private Network Access:
  • From the Instances page, click on your instance name
  • Click the Console tab
  • Log in using your credentials
  • Run ip addr to verify the private IP is assigned
  • Run ping 8.8.8.8 to test outbound internet connectivity
  1. Verify External Access:
  • From your local machine, ping the floating IP: ping <floating-ip>
  • SSH to the instance: ssh <user>@<floating-ip>
  • If using a web server, access it via browser: http://<floating-ip>

If connectivity fails, proceed to the troubleshooting section below.

Troubleshooting Common Issues

Instance Cannot Reach the Internet

Problem: Instance has private IP but cannot ping external addresses.

Solutions:

  • Verify the router has an external gateway set
  • Check that the private subnet is added as a router interface
  • Ensure the router status is "Active"
  • Verify the external network has proper connectivity
  • Check that default security group allows outbound traffic

Cannot SSH to Instance via Floating IP

Problem: Floating IP is assigned but SSH connection times out or is refused.

Solutions:

  • Verify security group has SSH rule (port 22) with appropriate CIDR
  • Confirm floating IP is properly associated with the instance
  • Check that SSH service is running on the instance (use Console)
  • Verify your SSH key pair is correct
  • Check external network firewall rules with your administrator

Floating IP Association Fails

Problem: Error when trying to associate floating IP with instance.

Solutions:

  • Ensure the instance has a port on the private network
  • Verify the instance is in "Active" state
  • Check that the floating IP pool matches your external network
  • Confirm you have available quota for floating IPs

DHCP Not Assigning IP Addresses

Problem: Instance launches but no IP address is assigned.

Solutions:

  • Verify DHCP is enabled on the subnet
  • Check that the allocation pool has available addresses
  • Ensure the network's admin state is "UP"
  • Restart the instance networking or reboot

Using the OpenStack CLI

For users who prefer command-line tools or need to automate network setup, here's the complete workflow using the OpenStack CLI.

Prerequisites

Install the OpenStack client and authenticate:

1pip install python-openstackclient
2source openrc.sh

Complete CLI Workflow

1. Create the private network:

1openstack network create private-network

2. Create the subnet:

1openstack subnet create private-subnet \
2  --network private-network \
3  --subnet-range 192.168.100.0/24 \
4  --gateway 192.168.100.1 \
5  --dns-nameserver 8.8.8.8 \
6  --dns-nameserver 8.8.4.4 \
7  --allocation-pool start=192.168.100.10,end=192.168.100.200

3. Create the router and set external gateway:

1# List available external networks
2openstack network list --external
3

4# Create router with external gateway
5openstack router create private-router
6openstack router set private-router --external-gateway <external-network-name>

4. Add subnet interface to router:

1openstack router add subnet private-router private-subnet

5. Verify router configuration:

1openstack router show private-router
2openstack port list --router private-router

6. Create security group and rules:

1# Create security group
2openstack security group create web-server-sg --description "Web server security group"
3

4# Add SSH rule
5openstack security group rule create web-server-sg \
6  --protocol tcp \
7  --dst-port 22 \
8  --remote-ip 0.0.0.0/0
9

10# Add HTTP rule
11openstack security group rule create web-server-sg \
12  --protocol tcp \
13  --dst-port 80 \
14  --remote-ip 0.0.0.0/0
15

16# Add HTTPS rule
17openstack security group rule create web-server-sg \
18  --protocol tcp \
19  --dst-port 443 \
20  --remote-ip 0.0.0.0/0
21

22# Add ICMP rule (ping)
23openstack security group rule create web-server-sg \
24  --protocol icmp \
25  --remote-ip 0.0.0.0/0

7. Launch instance on private network:

1openstack server create \
2  --flavor m1.small \
3  --image ubuntu-20.04 \
4  --network private-network \
5  --security-group web-server-sg \
6  --key-name my-keypair \
7  my-instance

8. Allocate and assign floating IP:

1# Create floating IP
2openstack floating ip create <external-network-name>
3

4# List the floating IP (note the address)
5openstack floating ip list
6

7# Assign to instance
8openstack server add floating ip my-instance <floating-ip-address>

9. Verify instance networking:

1# Check instance details
2openstack server show my-instance
3

4# List ports and IPs
5openstack port list --server my-instance
6

7# Test connectivity
8ping <floating-ip-address>
9ssh ubuntu@<floating-ip-address>

Useful CLI Commands for Management

List all network components:

1openstack network list
2openstack subnet list
3openstack router list
4openstack floating ip list
5openstack security group list

View detailed configuration:

1openstack network show private-network
2openstack subnet show private-subnet
3openstack router show private-router

Clean up resources:

1# Remove floating IP
2openstack server remove floating ip my-instance <floating-ip-address>
3openstack floating ip delete <floating-ip-address>
4

5# Delete instance
6openstack server delete my-instance
7

8# Remove router interface and delete router
9openstack router remove subnet private-router private-subnet
10openstack router unset private-router --external-gateway
11openstack router delete private-router
12

13# Delete network and subnet
14openstack network delete private-network

Conclusion

You have successfully created a private network with internet access in OpenStack. Your instances can now communicate securely within the private network while accessing the internet through the router's external gateway. Floating IPs provide selective external access to specific instances as needed.

This networking architecture provides a solid foundation for deploying production workloads in OpenStack. You can extend this setup by adding additional networks, implementing network segmentation, or configuring more advanced routing scenarios based on your requirements.

For production environments, consider implementing additional security measures such as network ACLs, stricter security group rules, and network monitoring to ensure your infrastructure remains secure and performant.