Create a Network in OpenStack

July 20th, 2018

Due to the limitation of IPv4 addresses and to isolate the network of our customers, we change our network setup. We don’t assign a public IPv4 address to every instance.
There will be a single external network called “floating-IPv4” (currently “shared-public-IPv4”), acting as a shared public network common to all projects. NO instance will be able to connect to this network after every instance has been migrated to the new setup. Prior to spawning any instances, you need to create at least one private network, using the procedure described in this blog post. Instances can then be created and connected to the private network.
Instances created on the private network don’t get direct connectivity to the extrenal world. To be able to communicate with your instances, you need to assign a floating IP to them. You can reduce the number of floating IPs you use by configuring SSH forwarding on one of your instances to access the other instances in the same private network.
Not every instance needs an IP reachable from the internet and with this private network setup, your network is isolated from the networks and instances of other users and the internet. A private network is only part of one project, but one project can have several private networks.


Network Setup

Create a network:

openstack network create demo-network


Create a subnet inside the new network. You can choose every networkrange and allocationpool-range you like, but it should be in the private IP address range. You are also free to chose the DNS nameserver you prefer.

openstack subnet create demo-subnet --network demo-network --subnet-range --gateway --allocation-pool start=,end= --dns-nameserver

Now create a router to connect the private `demo-network` to the public `floating-IPv4` external network:

openstack router create demo-router
openstack router set --external-gateway floating-IPv4 demo-router
openstack router add subnet demo-router demo-subnet



Spawn instances

Create a security group

Your project comes with a `default` security group. All egress (outgoing) traffic and intercommunication in the default group are allowed and all ingress (incomming) from outside of the default group is dropped.

In order to access our instances via SSH, we have to create an additional security group to allow port 22. The incoming ICMP traffic can also be allowed to ping (ICMP) the instances.

openstack security group create ssh
openstack security group rule create --dst-port 22 --ingress ssh
openstack security group create icmp
openstack security group rule create --protocol icmp icmp



Note : Be carefull with the rules, you allow. For example don’t allow ICMP traffic if you don’t need to.

Note : You should restrict the source IP range, that has access to the instances.


Start Instance

  1. a) Use DHCP and get any IP

Start an Instance and select the network:

openstack server create --flavor M --image 'Ubuntu 16.04 LTS x64' --key-name demo-key --network demo-network --security-group default --security-group ssh --security-group icmp demo-instance



The instance get an IP via DHCP from the range specified at the subnet creation. To get the private IP of the instance run:

openstack server show demo-instance
Field Value
OS-DCF:diskConfig MANUAL
OS-EXT-AZ:availability_zone nova
OS-EXT-STS:power_state Running
OS-EXT-STS:task_state None
OS-EXT-STS:vm_state active
OS-SRV-USG:launched_at 2018-07-05T11:31:51.00000
OS-SRV-USG:terminated_at None
addresses demo-network=
created 2018-07-05T11:28:36Z
flavor M (115)
hostId Ad6cd2f4539ff015324bb735396b3b39b29a17007245cca9810dec70
id 6bddcf6e-d495-4887-9706-4dcfe0ae3ac2
image Ubuntu 16.04 LTS x64 (5eaf550b-28eb-46bb-a179-31fb5468c2ef)
key_name Demo-key
name Demo-instance
Progress 0
project_id 62bf1933f89443bdbe4435a2856d1293
security_groups name=’default’
status ACTIVE
updated 2018-07-05T11:32:18Z
user_id fa7ead99172d475eade844e14b0bc57e


The `addresses` field shows all addresses assigned to the instance.

  1. b) Explicit Ports with defined IPs

The previous procedure assigns a random IP from the subnet range to the instance. To set a specific IP, we have to create a port.


First create a port on the network. The easiest way is to give them an IP in your DHCP range defined during the subnet creation. (Otherwise the instance doesn’t get its IP.)

openstack port create --network demo-network --fixed-ip subnet=demo-subnet,ip-address= demo-port

Now create an instance connected to this port:

openstack server create --flavor M --image 'Ubuntu 16.04 LTS x64' --key-name demo-key --port demo-port --security-group default --security-group ssh --security-group icmp demo-instance

Again, you can check the address assigned to your instance by running `openstack server show demo-instance`.

addresses demo-network=,


Access the instance

To access the instance from outside the private network, we have to assign it a floating IP. In this example, is the local address of the instance:

openstack port list | grep
c9e0fdc4-0db4-4f97-a483-77169a0f7b77 fa:16:3e:bb:82:78 ip_address=’′, subnet_id=’bb34a4bd-fd37-4b52-9833-06aabdc69a47′ ACTIVE
openstack floating ip create floating-IPv4 --port c9e0fdc4-0db4-4f97-a483-77169a0f7b77


Now you can see the floating IP at the instance details (`openstack server show demo-instance`) and you can ping and SSH it.

The floating IP is connected to the network port. Technically the router does the NATing from the floating to the private IP. So the operating system running in the instance is not aware of the associated floating IP.

In the standard setup, every project has five floating IPs. If you need more floating IPs, please contact us at