OVH Private (vRack) Networks

We're generally fans of OVH Cloud - it's simple, it's cost effective and they have some interesting options and features available. One of those features is of course private networks, which they call vRack.

Private networks make it possible to have your OVH servers communicate with each other via a direct connection, rather than needing to use the Internet. You can also create servers that are entirely internal, making them immune from direct Internet threats.

OVH's vRack also provides VLANs. This is essentially a way to have multiple separate private networks. This sounds cool, and plenty of people probably use this feature, but given OVH is quite a "small" cloud, we're left wondering just how useful it really is.

Slightly strangely, you can't really see much of your private networks with the standard UI. You can use Horizon (which is the OpenStack UI) to get a bit closer, or else use the API (perhaps with Terraform). However you decide to proceed, things seem unnecessarily confusing. You can optionally include a gateway (which seems to be something they want you to have, as to turn it off you have to set no_gateway to True). You can have a DHCP service, and can define the range of IPs used by DHCP, so you can mix fixed and DHCP addressing if you like. Once DHCP gives you an address, it never changes.

It's worth noting that OVH has no "NAT Gateway" or similar. If your private networks want Internet access, you either have to have an Internet IP on your servers, or else construct a "router" that can provide Internet access for all your private servers. This all seems simple enough, after all, you can just create a server and set it up as a router. Making a resilient service is a good deal trickier however.

Another gotcha is that if you change your mind about needing a gateway (or not), then you have to disconnect everything from the network before you can make the change. This is a real drawback, and probably best resolved by creating a whole new network and migrating to it - quite a lot of work for a seemingly simple change, and always attracts some disruption.


Getting down to some code, setting up a private network is pretty simple:

# Create a private network
resource "ovh_cloud_project_network_private" "network" {
  service_name = var.ovh_cloud_project_id
  name         = "my-private-network"
  vlan_id      = 0                 # VLAN ID for vRack

# Create a subnet in the previously created private network
resource "ovh_cloud_project_network_private_subnet" "subnet" {
  service_name = var.ovh_cloud_project_id
  network_id   =
  start        = var.dhcp_start   # First IP of the subnet
  end          = var.dhcp_end     # Last IP of the subnet
  network      = var.network_cidr # Subnet IP address location
  dhcp         = true             # Enables DHCP
  no_gateway   = true             # true = No default gateway
  region       = var.region

Once you have a private network, you can add it to servers you create. For example, something like this:

resource "openstack_compute_instance_v2" "server" {
  name        =
  image_name  = var.image
  flavor_name = var.type
  key_pair    = var.keypair
  region      = var.region

  network {

  network {

Here we're creating a server with an Internet connection (Ext-Net), which if specified is always the "default interface" of the server. We've additionally asked for an interface connected to the private network. We can do this as many times as we like to connect to as many private networks as we like.


Creating private networks in OVH Cloud isn't hard, but it's a lot harder than it ought to be. Making changes to private networks is similarly problematic and seems to always cause disruption. There are no "NAT gateway" type options, so getting from the private networks to the Internet is a do-it-yourself proposition.

Pre-Emptive can help with clouds, networks, routing and firewalling. Contact us to see how we can help you.