In order to have an internet access on any instance you need to follow all below steps.

1. Creating a virtual router.
2. Connecting the instance NETWORK to the created router.
3. Setting the router gateway.
4. In this step you need to apply only one of these two options
   1. Assign the default security group to the instance.
   2. Associate a floating IP to the instance + Assigning any security group which allow all Egress traffic.

Instance Internet Access - Without assigning the default security group

In the above case, we’ve explained how the instance can access the internet but in step no 4 it is mandatory to have a floating IP or assigning the default security group to reach the internet but some use cases have the below challenges.

The Challanges:

1. No need to assign a floating IP to the instance.
2. Default security group have a rule which allow all ingress traffic so in this case we can’t combine between having an internet on the instances and controlling the access between all routed instances ( East-West traffic ).

ALLOW IPv4 any from default
ALLOW IPv6 any from default

The solution:

1. Detaching the default security group from all the instances.
2. Adding the following rules to the default security group.

ALLOW IPv4 any from <Custom security group ID>
ALLOW IPv6 any from <Custom security group ID>

This can be done through Openstack client

openstack security group list

openstack security group rule create --protocol any --ingress --ethertype IPv4 --remote-group <Custome Security Group ID>  <Default Security Group ID>

openstack security group rule create --protocol any --ingress --ethertype IPv6 --remote-group <Custome Security Group ID> <Default Security Group ID>

1. Repeating step no 2 for each custom security group.
2. Attaching a custom security group to all instances and allow only the traffic which you need to allow.