Metacentrum Cloud Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode


Please read the following rules:

  1. If you are using a PERSONAL project you have to use either the 147-251-115-pers-proj-net or 78-128-250-pers-proj-net network to make your instance accessible from an external network (e.g. Internet). Use public-muni-147-251-115-PERSONAL or public-cesnet-78-128-250-PERSONAL for FIP allocation.
  2. If you are using a GROUP project you may choose any of the -GROUP suffix networks for FIP allocation to make your instance accessible from external network (e.g. Internet).
  3. Violation of network usage may lead to resource removal and reduction of the quotas assigned.

Public networking

In MetaCentrum Cloud (MCC) we support both IPv4 and IPv6. IPv4 allocation policies are based on Floating IPs (FIP). This type of networking requires the user to first connect virtual network containing specific VM to the public network before allocating a FIP for specific VM. Further information is available in section virtual networking. IPv6 allocation policy is based on common IPv6 public network, which can be directly attached to VMs.

If you decide to attach second interface to your VM, you should verify the interface is correctly set. Older VM images have secondary interfaces down by default and some images need further configuration to enable IPv6 SLAAC.

Don’t forget to setup security groups accordingly.

IPv4 personal networking

Is currently limited to the common internal networks. You can start your machine in network 78-128-250-pers-proj-net or 147-251-115-pers-proj-net and allocate floating IP address from pools public-cesnet-78-128-250-PERSONAL and public-muni-147-251-115-PERSONAL respectively. All VMs need to be connected to the same network. You cannot use virtual routers with personal projects. We encourage users to also use IPv6 addresses for long term use. Unassigned allocated addresses are released daily.

IPv4 group networking

The situation is rather different for group projects. You cannot use the same approach as for personal projects. You should create a virtual network as described in section virtual networking instead and select one of the pools with -GROUP suffix. Namely:

  • public-cesnet-78-128-251-GROUP
  • public-cesnet-195-113-167-GROUP
  • public-muni-147-251-21-GROUP
  • public-muni-147-251-124-GROUP
  • public-muni-147-251-255-GROUP
Addresses that are unassigned for longer than 3 months can be released.
If you use a MUNI account, you can use private-muni-10-16-116 and log into the network via MUNI VPN or you can set up Proxy networking, which is described in section proxy networking.

IPv6 networking

We have prepared an IPv6 prefix public-muni-v6-432, which is available for both personal and group projects. The network is available as an attachable network for VMs. If your VM does not receive the allocated address, check section obtaining IPv6 address.

Virtual networking

MetaCentrum Cloud offers software-defined networking as one of its services. Users can create their own networks and subnets, connect them with routers and set up tiered network topologies.


  • Basic understanding of routing
  • Basic understanding of TCP/IP

For details, refer to the official documentation.

Network creation

For a group project, you need to create an internal network first, you may use auto allocated pool for subnet auto-creation.

Navigate yourself towards Network > Networks in the left menu and click on the Create Network on the right side of the window. This will start an interactive dialog for network creation. Inside the interactive dialog:

  1. Type in the network name
  2. Move to the Subnet section either by clicking next or by clicking on the Subnet tab. You may choose to enter the network range manually (recommended for advanced users to not interfere with the public IP address ranges), or select Allocate Network Address from a pool. In the Address pool section select a private-192-168. Select Network mask which suits your needs (27 as default can hold up to 29 machines, use IP calculator if you are not sure).
  3. For the last tab Subnet Details just check that a DNS is present and the DHCP box is checked, alternatively you can create the allocation pool or specify static routes in here (for advanced users).

Create network

openstack network create my-net1

Additional network configuration is available in official CLI documentation.

Create subnet for the network (from auto-allocated pool)

openstack subnet create --network my-net1 --subnet-pool private-192-168 my-sub1

Create subnet for the network (from auto-allocated pool)

openstack subnet create --network my-net1 --subnet-range my-sub1

Additional subnet configuration is available in official CLI documentation.

Router creation

Navigate yourself towards Network > Routers in the left menu and click on the Create Router on the right side of the window. In the interactive dialog:

  1. Enter router name and select external gateway with the -GROUP suffix.

Now you need to attach your internal network to the router.

  1. Click on the router you just created.
  2. Move to the Interfaces tab and click on the Add interface.
  3. Select a previously created subnet and submit.

Create router

openstack router create my-router1

The current router has no ports, which makes it pretty useless, we need to create at least 2 interfaces (external and internal).

Assign router as a gateway for created internal network

openstack router add sub1 my-subnet my-router1

Additional router configuration is available in official CLI documentation.

Routers can also be used to route traffic between internal networks. This is an advanced topic not covered in this guide.

Router external gateway assign

If you have no gateway on you router, you can assign a new one.

  1. You can set your gateway by clicking Set Gateway.

  2. Choose the network you desire to use (e.g. public-cesnet-78-128-251) and confirm.

Set external network for the router (let us say public-muni-147-251-255-GROUP), and the external port will be created automatically

openstack router set --external-gateway public-muni-147-251-255-GROUP my-router1

Additional router configuration is available in official CLI documentation.

Router external gateway release

Navigate to the Project > Network > Routers. Click on the action Clear Gateway of your router. This action will disassociate the external network from your router, so your machines will no longer be able to access the Internet. If you get an error you need to first Disassociate Floating IPs.

Release external gateway from router

openstack router unset --external-gateway my-router1

Make sure to first release FIPs from the network.

Additional router configuration is available in official CLI documentation.

Associate Floating IPs

Floating IPs are used to assign public IP address to VMs.

  1. Go to Project > Network > Floating IPs and click on the Allocate IP to Project button. Select Pool with the same value as the network you chose in the previous step and confirm it by clicking Allocate IP.

  2. Now click on the Associate button next to the Floating IP you just created. Select Port to be associated with the desired instance. Confirm with the Associate button. Repeat this section for all your machines requiring a Floating IP.

Allocate new Floating IPs

openstack floating ip create public-cesnet-78-128-251

And assign it to your server

openstack server add floating ip  net-test1

Additional floating IP configuration is available in official CLI documentation.

The floating IP address must be from the same network pool which was selected as the router network gateway.

Release Floating IPs

Go to Project > Compute > Instances. Click on the menu Actions on the instance you wish to change and Disassociate Floating IP and specify that you wish to Release Floating IP.

WARNING: After this action, your project will no longer be able to use the floating IP address you released. Confirm that you wish to disassociate the floating IP by clicking on the Disassociate button.

Remove existing floating IP

List your servers

$ openstack server list
| ID                                   | Name      | Status | Networks                                              | Image | Flavor         |
| 1a0d4624-5294-425a-af37-a83eb0640e1c | net-test1 | ACTIVE | auto_allocated_network=, |       | standard.small |

Remove floating IPs

$ openstack server remove floating ip  net-test
$ openstack floating ip delete

Additional floating IP configuration is available in official CLI documentation.

Obtaining IPv6 address

Public IPv6 addresses are assigned via SLAAC. After assigning an interface in OpenStack to your instance, verify correct configuration of your VM. You can assign interface by directly connecting your VM to the network (make sure you setup DNS records if you decide to use only IPv6) upon creation or by assigning secondary interface.

Don’t forget to update your Security Groups.

Go to Project > Compute > Instances. Click on the menu Actions on the instance you wish to change and click on Attach interface.

In the Network dropdown menu select available IPv6 network.

Get ID of your VM, in this instance named my-vm

VM_ID=$(openstack server list --name my-vm -f value -c ID)

Create port for the network

openstack port create --network public-muni-v6-432 --security-group default --host ${VM_ID} ipv6-port

Additional port configuration is available in official CLI documentation.

Security rules

Security rules in OpenStack serve as a Firewall. Security rules are applied directly on VM ports and therefore proper configuration is necessary. Ingress as well as egress rules can be configured using Horizon and CLI. If you can’t connect via ssh or ping your instance, chances are it is because of security rules.

If you delete default egress rules, your virtual machine loses will not be able to send outgoing communication. To fix this, add a new egress rule with any IP protocol and port range, set Remote IP prefix to (IPv4) or ::/0 (IPv6).

Create rule

openstack security group create my-security-group

Add rules to your security group

openstack security group rule create --description "Permit SSH" --remote-ip --protocol tcp --dst-port 22 --ingress my-security-group
openstack security group rule create --description "Permit SSH IPv6" --remote-ip ::/0 --ethertype IPv6 --protocol tcp --dst-port 22 --ingress my-security-group
openstack security group rule create --description "Permit ICMP (any)" --remote-ip --protocol icmp --icmp-type -1 --ingress my-security-group
openstack security group rule create --description "Permit ICMPv6 (any)" --remote-ip ::/0 --ethertype IPv6 --protocol ipv6-icmp --ingress my-security-group

Verify rule

 openstack security group show my-security-group

Additional security group configuration is available in official CLI documentation.

Load balancers

Load balancers serve as a proxy between virtualised infrastructure and clients in the outside network. This is essential in OpenStack since it can be used in a scenario where the infrastructure dynamically starts new VMs and adds them into the load balancing pool in order to mitigate inaccessibility of services.

When modifying a load balancer, each operation changes the database into immutable state. It is therefore recommended to use --wait switch when creating/editing or removing resources from load balancers.

We are currently observing inaccessibility of some load balancers on floating IP after creation. If this happens, please try to rebuild the load balancer before contacting support.

Provisioning Status

This status represents the overall state of the load balancer backend.

  • ACTIVE: the load balancer backend is working as intended.
  • PENDING: statuses starting with PENDING usually reflect modification of the load balancer, during which the database is in immutable state and thus any additional operations will fail.
  • ERROR: the provisioning has failed. This load balancer can’t be modified and usually is not working. Therefore we encourage our users to remove these load balancers. If this happens more often, please make sure to report this problem at
  • DELETED: entity has been deleted.

Operating status

Operating status is managed by health monitor service of the load balancer and reflects the availibility of endpoint service.

  • ONLINE: all endpoint services are available.
  • DEGRADED: some endpoint services are not available.
  • ERROR: all endpoint services are unavailable.
  • DRAINING: not accepting new connections.
  • OFFLINE: entity is administratively disabled.
  • NO_MONITOR: health monitor is not configured.

Creating loadbalancers

To create a load balancer, first prepare a pool of VMs with operational service you wish to balance to. Next create the load balancer in the same network and assaign the pool as well as listeners on specific ports.

  1. Create the load balancer
openstack loadbalancer create --name my_loadbalancer --vip-subnet-id my_subnet_id --wait
  1. Create listeners (eg. ports 80)
openstack loadbalancer listener create --name my_listener --protocol TCP --protocol-port 80 --wait my_loadbalancer
  1. Create LB pools
openstack loadbalancer pool create --name my_pool --lb-algorithm ROUND_ROBIN --listener my_listener --protocol TCP --wait
  1. Create Health Monitors
openstack loadbalancer healthmonitor create --delay 5 --max-retries 3 --timeout 3 --type HTTP --url-path / --wait my_pool
  1. Assign endpoint VMs
openstack loadbalancer member create --address vm_ip_address --protocol-port 80 --wait my_pool

Deleting loadbalancers

When deleting a loadbalancer, first unassign the floating IP address used by the loadbalancer.

To delete the loadbalancer and all resources, run command

openstack loadbalancer delete --cascade --wait my_loadbalancer


Creating new networking

Creation of new networking for project can be divided into these steps:

Changing external network

In order to correctly migrate to different external network, you can follow the following steps:

Proxy networking

In your OpenStack instances, you can use private or public networks. If you use a private network and you need to access the internet for updates etc., you can check proxy issues, where proxy connection is explained.

Interface not working

Please verify correct configuration of security groups on your VM. More information is available in section security rules.

Some VM images have additional interfaces turned down by default. In this case, it is necessary to connect to the VM through default interface and enable these interfaces. Known images with this flaw:

  • centos-7-x86_64
  • ubuntu-bionic-x86_64

Usually when you enable the interface, the VM should obtain IPv4 address through DHCP and IPv6 address through SLAAC. If you are able to receive an IPv4 address but not IPv6 address, verify correct configuration of SLAAC on that VM interface. This flaw was spotted on image:

  • centos-8-x86_64