Skip to content

Cloud

OpenStack and Private Cloud

A private cloud gives you cloud-style self-service infrastructure on hardware you control. OpenStack is the leading open-source toolkit for building one. This page explains when a private cloud makes sense and how OpenStack's pieces fit together.

Applies to

Teams evaluating or operating a self-managed IaaS cloud. CLI examples use the OpenStack openstack client against an OpenStack deployment.

What is a private cloud?

A private cloud delivers the same on-demand, API-driven, self-service experience as a public cloud — spin up VMs, networks, and storage in minutes — but the infrastructure is dedicated to a single organisation, usually on hardware you own or lease in your own (or a colocation) data centre.

It contrasts with public cloud (shared infrastructure operated by AWS, Azure, GCP) and sits alongside it in hybrid setups. See AWS, Azure & GCP Overview for the public-cloud side.

When would you run one?

Driver Why a private cloud helps
Control Full ownership of hardware, hypervisor, network, and upgrade cadence.
Compliance & sovereignty Meet regulatory rules that mandate specific controls or audited environments.
Data residency Keep data within a country or facility you can point to.
Cost at scale Past a steady, high baseline of usage, owning hardware can beat per-hour public pricing.
Predictable workloads Always-on, well-understood demand suits owned capacity better than elastic spot pricing.

It is not free

A private cloud trades the public cloud's operational burden for capital cost and a team that designs, runs, patches, and scales it. The break-even is real but rarely small — see the complexity notes below.

What is OpenStack?

OpenStack is a large open-source project for building Infrastructure-as-a-Service clouds. It is not a single program but a collection of cooperating services, each owning one domain (compute, networking, storage, identity, and so on) and exposing a REST API. Together they let you offer self-service VMs, networks, and storage on your own hardware — effectively your own AWS-style control plane.

It is widely used by hosting and telco providers, research institutions, and large enterprises that operate at a scale where running their own cloud pays off.

Core projects

Each OpenStack service has a project name; you will hear these constantly:

Project Role Public-cloud analogue
Keystone Identity — authentication, tokens, service catalog IAM
Nova Compute — provisions and manages VM instances EC2
Neutron Networking — virtual networks, subnets, routers, security groups VPC
Cinder Block storage — persistent volumes attached to instances EBS
Swift Object storage — durable, scalable blob storage S3
Glance Image service — stores and serves VM boot images AMI registry
Horizon Dashboard — the web UI for users and operators Web console

Many more components exist

These are the core. OpenStack also has Heat (orchestration), Octavia (load balancing), Magnum (Kubernetes), Ironic (bare metal), and others — you deploy only what you need.

High-level architecture

A simplified flow when a user launches a VM:

                 +-----------+        +-----------+
   User / CLI -->|  Horizon  |  or    | openstack |
                 +-----+-----+        +-----+-----+
                       |                    |
                       v                    v
                 +-------------------------------+
                 |   Keystone (auth + catalog)   |
                 +---------------+---------------+
                                 |
        +------------------------+------------------------+
        v                        v                        v
   +---------+              +-----------+            +-----------+
   |  Nova   |  asks for -->|  Glance   |  attaches  |  Cinder   |
   | compute |   image      |  images   |  volume -->|   block   |
   +----+----+              +-----------+            +-----------+
        |  plugs into
        v
   +-----------+
   |  Neutron  |  (networks, routers, security groups)
   +-----------+

Every request is authenticated by Keystone; Nova schedules the VM, pulls its image from Glance, attaches Cinder volumes, and wires it onto a Neutron network. Operators interact through Horizon or the CLI.

A couple of CLI examples

The unified openstack client talks to all services. Authenticate first (typically by sourcing an RC file with your credentials and endpoint), then:

# Load credentials and the Keystone endpoint
source ~/admin-openrc.sh

# List compute instances (Nova)
openstack server list

# List available boot images (Glance)
openstack image list

# List networks (Neutron)
openstack network list

# Launch a small instance from an image onto a network
openstack server create \
  --flavor m1.small \
  --image ubuntu-22.04 \
  --network private-net \
  --key-name mykey \
  web-01

Honest notes on operational complexity

OpenStack is powerful, but running it is a serious undertaking. Be clear-eyed:

  • Many moving parts. A dozen-plus services, each with its own database, message-queue traffic, and config — failures can be subtle and cross-service.
  • Day-2 operations. Upgrades between releases, certificate rotation, and capacity planning are ongoing work, not one-time setup.
  • Deployment tooling matters. Almost no one installs OpenStack by hand. Teams use Kolla-Ansible, OpenStack-Ansible, or a vendor distribution (e.g. Red Hat, Canonical) to make it manageable.
  • Networking is the hard part. Neutron with overlays, SDN, and provider networks is where most operators spend their debugging time.
  • You own reliability. There is no provider SLA to fall back on — your team is the SLA.

Common in hosting and telco

This is exactly why OpenStack is most popular among hosting companies and telcos: they have the scale, the dedicated platform teams, and the data-sovereignty requirements that justify the effort. For automating the infrastructure that sits on top, see Terraform Basics (Terraform has an OpenStack provider), and contrast all of this with hypervisor fundamentals in Virtualization and Hypervisors.

Verify your work

  • [ ] You can state at least three reasons to run a private cloud (control, compliance, data residency, cost at scale).
  • [ ] You can name OpenStack's core projects and what each does (Keystone, Nova, Neutron, Cinder, Swift, Glance, Horizon).
  • [ ] After sourcing credentials, openstack server list and openstack image list return without authentication errors.
  • [ ] You can trace, at a high level, what happens when a user launches a VM (Keystone auth, Nova schedule, Glance image, Cinder volume, Neutron network).
  • [ ] You can articulate at least two operational risks of running OpenStack yourself.

Summary

  • A private cloud offers public-cloud-style self-service on infrastructure dedicated to one organisation, chosen for control, compliance, data residency, and cost at steady scale.
  • OpenStack is the leading open-source IaaS toolkit: a set of cooperating services that together form your own cloud control plane.
  • Core projects: Keystone (identity), Nova (compute), Neutron (networking), Cinder (block storage), Swift (object storage), Glance (images), Horizon (dashboard).
  • The unified openstack CLI drives every service once you authenticate via Keystone.
  • It is powerful but operationally heavy — most common at hosting and telco providers who have the scale and platform teams to justify it.

Test yourself