L3 services SNAT configuration (EN)

Find out how to configure the SNAT service on Public CLoud

Last updated 2nd November 2022


The purpose of this guide is to describe the Secure Network Address Translation (SNAT) service delivered by L3 services, i.e. the Distributed Virtual Router service for Public Cloud.

The guide explains how to configure SNAT and presents use cases.



What is the SNAT service?

SNAT is one of the services delivered by OpenStack DVR (Distributed Virtual Router) services on an OVHCloud Public Cloud service.

The main function of SNAT service is to enable outbound connections for VMs inside a private network.

Why do I need the SNAT service?

It is safe to keep instances inside a private network if they do not need to expose services to external networks (Internet). However, such instances may need to access the Internet for upgrade purposes (or have other connectivity needs) that are initiated from inside the private network. For these purposes, Gateway in SNAT mode (outbound) is the best to use.

For example: You have an Ubuntu based VM linked to a private network only. Thanks to the SNAT service you can update your Ubuntu packages directly using apt update, since your VM is able to access external and official Ubuntu repository servers on the Internet.

How to configure L3 services SNAT

To enable the SNAT service, you need to:

  • Create a router.
  • Set an external gateway for a router.
  • Add the needed subnet to the router.

This allows any VM created within this private network to access the Internet.

This scenario is covered by the guide Attaching a Floating IP to an instance.

Target configuration architecture


The goal of this exercise is to have a VM (vmpriv) with only a private network (test-network), and to configure our deployment in such a way that vmpriv has external access to the Internet.

To do so, we need to configure the private network (test-network) with a subnet (test-subnet), and create a router (router1) for the SNAT service.

To perform the test, we need a "jump host" VM (vm4fip) through which we will connect to our VM (vmpriv). Since the jump host (vm4fip) will need access to external networks, we will attach a Floating IP to it.

To test the configuration, we will access the VM vm4fip from an external network via SSH, then connect from vm4fip to vmpriv using a private network and eventually check the Internet availability.


Step 1

Create a VM with a Floating IP as explained in this guide.

Step 2

Create a VM with a private network only. In our example, our VM is called vmpriv:

$ openstack server create --image 'Ubuntu 22.04' --flavor s1-8 --key-name test-key --net test-network vmpriv
$ openstack server show vmpriv -c name -c status -c addresses
| Field     | Value                     |
| addresses | test-network= |
| name      | vmpriv                    |
| status    | ACTIVE                    |

Step 3

Copy your SSH private key to your previously created VM with a Floating IP (vm4fip):

$ scp -i ./test-key.rsa ./test-key.rsa ubuntu@

Step 4

Log into your vm4fip ( is the Floating IP):

ssh ubuntu@ -i ./test-key.rsa
The authenticity of host ( can´t be established.
ED25519 key fingerprint is SHA256:ordRAjue1dEp/yJ2ve83MW+ItPznuteEhqAkoG3vEi8.

Step 5

Check if your VM (vmpriv) is available from vm4fip ( is a private IP address attached to vmpriv):

ubuntu@vm4fip:~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=4.00 ms
64 bytes from icmp_seq=2 ttl=64 time=0.549 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.549/2.275/4.001/1.726 ms

Step 6

Connect from vm4fip to vmpriv via SSH:

ubuntu@vm4fip:~$ ssh ubuntu@ -i ./test-key.rsa
The authenticity of host ( can´t be established.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update


Step 7

Verify that the VM vmpriv has an external access to the Internet:

ubuntu@vmpriv:~$ sudo resolvectl dns ens3
ubuntu@vmpriv:~$ ping ping.ovh.net -c 1
PING ping.ovh.net ( 56(84) bytes of data.
64 bytes from www.ovh.com ( icmp_seq=1 ttl=56 time=0.854 ms

--- ping.ovh.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.854/0.854/0.854/0.000 ms

The result shows that VM vmpriv has external access to the Internet while being connected to a private network.

Go further

Join our community of users on https://community.ovh.com/en/.

Esta documentação foi-lhe útil?

Não hesite em propor-nos sugestões de melhoria para fazer evoluir este manual.

Imagens, conteúdo, estrutura... Não hesite em dizer-nos porquê para evoluirmos em conjunto!

Os seus pedidos de assistência não serão tratados através deste formulário. Para isso, utilize o formulário "Criar um ticket" .

Obrigado. A sua mensagem foi recebida com sucesso.

Estes manuais também podem ser úteis...

OVHcloud Community

Aceda ao seu espaço comunitário. Coloque as suas questões, procure informações e interaja com outros membros do OVHcloud Community.

Discuss with the OVHcloud community

Em conformidade com a alteração à Diretiva 2006/112/CE, os preços com IVA podem variar de acordo com o país de residência do cliente
(por defeito, os preços com IVA apresentados incluem o IVA português em vigor).