OpenStack Add Floating IPs

Floating IPs are publicly routable addresses that you associate with instances to provide external access. They are mapped via NAT from an external network to an instance's private fixed IP. This guide covers creating, assigning, and managing floating IPs in OpenStack 2024.2 Dalmatian.

How Floating IPs Work

Neutron uses DNAT (destination NAT) and SNAT (source NAT) on the router namespace to map a floating IP to an instance's fixed IP. The floating IP "floats" because it can be moved between instances instantly.

Internet → External Network (floating IP) → Router (NAT) → Tenant Network (fixed IP) → Instance

Prerequisites

Step 1: Create the External Network

The external network must be created by an admin:

source openrc admin admin

openstack network create \
  --provider-network-type flat \
  --provider-physical-network physnet-ext \
  --external \
  --share \
  external-net

openstack subnet create \
  --network external-net \
  --subnet-range 203.0.113.0/24 \
  --allocation-pool start=203.0.113.100,end=203.0.113.200 \
  --gateway 203.0.113.1 \
  --no-dhcp \
  external-subnet

The --no-dhcp flag is important: floating IPs are managed by Neutron, not DHCP.

Step 2: Set the Router Gateway

Connect your tenant router to the external network:

openstack router set --external-gateway external-net my-router

Verify:

openstack router show my-router -c external_gateway_info

Step 3: Allocate a Floating IP

# Allocate from the external network pool
openstack floating ip create external-net

Output includes the allocated address:

+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| floating_ip_address | 203.0.113.105                        |
| id                  | abc123-...                           |
+---------------------+--------------------------------------+

To allocate a specific IP:

openstack floating ip create --floating-ip-address 203.0.113.150 external-net

Step 4: Associate with an Instance

openstack server add floating ip my-instance 203.0.113.105

Verify:

openstack server show my-instance -c addresses

Output shows both fixed and floating IPs:

| addresses | tenant-net=192.168.1.10, 203.0.113.105 |

Step 5: Configure Security Groups

Floating IPs obey security group rules. Allow inbound SSH and HTTP:

openstack security group rule create --protocol tcp --dst-port 22 default
openstack security group rule create --protocol tcp --dst-port 80 default
openstack security group rule create --protocol icmp default

Test access:

ping 203.0.113.105
ssh ubuntu@203.0.113.105

Step 6: Disassociate and Release

Remove a floating IP from an instance:

openstack server remove floating ip my-instance 203.0.113.105

Release it back to the pool:

openstack floating ip delete 203.0.113.105

Step 7: Move a Floating IP Between Instances

Floating IPs can be moved instantly (useful for failover):

openstack server remove floating ip old-instance 203.0.113.105
openstack server add floating ip new-instance 203.0.113.105

This enables manual failover patterns and blue-green deployments.

Managing Floating IP Quotas

# Set quota per project
openstack quota set --floating-ips 10 my-project

# View current usage
openstack floating ip list --project my-project

Floating IPs with Port Forwarding

Instead of a 1:1 floating IP per instance, use port forwarding to share one floating IP across multiple instances:

# Forward port 8080 on the floating IP to port 80 on instance
openstack floating ip port forwarding create \
  --internal-ip-address 192.168.1.10 \
  --internal-protocol-port 80 \
  --external-protocol-port 8080 \
  --protocol tcp \
  <floating-ip-id>

Troubleshooting

Summary

Floating IPs provide external access to instances on private tenant networks. They can be moved between instances for failover, and port forwarding enables sharing a single public IP across multiple services.