Skip to main content

VPC in the Context of OpenStack


Many public cloud providers allow you to utilize Virtual Private Clouds (VPC). In this context a VPC is a logically isolated virtual network dedicated to a private cloud account.

While there is currently no 1:1 comparison in OpenStack a simplified version would be as follows.

VPC FeaturesOpenStack Features
DHCP optionsIPAM
Elastic IPFloating IP
Network ACLsNetwork ACLs
Security groupsSecurity groups
Route TableRoute Table

The OpenStack community has a blueprint in place with the goal of creating additional parity with the VPC concept which can be reviewed on the OpenStack Wiki

There is also an ongoing efforts to expand the OpenStack EC2 API and Heat project to that same end.

In future articles we will be delving deeper into OpenStack private cloud resource isolation, and it's relation to public cloud VPCs.

VPC using OpenStack


Projects in OpenStack separate your cloud infrastructure from other workloads. If you have multiple DevOps teams with varying workloads and use cases each team can be provided a project tailored to their resource requirements.


In this context users are any entity requiring access to resources. This may be administrators, regular users or automated tasks and actions requiring varying levels of access to cloud infrastructure. In combination with projects and quotas you are provided with fine-grained control of who and what can access resources while maintaining accountability with comprehensive logging.

Refer to the OpenStack documentation for additional information regarding Managing Projects and Users.


Quotas are operational limits you can use to prevent system capacity exhaustion without notification. Quotas are currently enforced at the project, rather than user, level and are broken down to Image, Compute, and Storage (Object and Block).

The table below (extracted from the OpenStack documentation) summarizes available options for the most commonly implemented limits, Compute Service quotas.

QuotaDescriptionProperty name
Fixed IPsNumber of fixed IP addresses allowed per project. This number must be equal to or greater than the number of allowed instances.fixed-ips
Floating IPsNumber of floating IP addresses allowed per project.floating-ips{.docutils .literal}
Injected file content bytesNumber of content bytes allowed per injected file.injected-file-conten t-bytes
Injected file path bytesNumber of bytes allowed per injected file path.injected-file-path-bytes
Injected filesNumber of injected files allowed per project.injected-files{.docutils .literal}
InstancesNumber of instances allowed per project.instances
Key pairsNumber of key pairs allowed per user.key-pairs
Metadata itemsNumber of metadata items allowed per instance.metadata-items{.docutils .literal}
RAMMegabytes of instance RAM allowed per project.ram
Security group rulesNumber of security group rules per
Security groupsNumber of security groups per{.docutils .literal}
VCPUsNumber of instance cores allowed per project.cores
Server GroupsNumber of server groups per project.server_groups{.docutils .literal}
Server Group MembersNumber of servers per server group.server_group_members

See the upstream documentation for additional information on quota management.


In OpenStack a project provides logical isolation of all resources generated within. Users and roles can be used to provide fine-grained access to specific resources within a project for further isolation. As projects can span resources across all accessible availability zones they provide the core isolation inherent in the virtual private cloud concept.