If you recall from Chapter 3, Neutron API Basics, users can create and manage networks known as tenant networks that are completely isolated from other networks and tenants via Layer 2 segregation. Users do not require any knowledge of the physical infrastructure when creating tenant networks and are not aware of the underlying Layer 2 technology that provides connectivity between hosts, be it VLAN, VXLAN, GRE, or some other technology.

Users can use Neutron routers to provide flexibility in networking by connecting user-created tenant networks to one another and to the physical network. Neutron routers act as NAT gateways in an effort to provide connectivity to and from virtual machine instances in tenant networks. In the following diagram, a Neutron router is connected to both a provider network and a user-created tenant network:

When instances are placed behind a Neutron router, users can no longer access them directly by their fixed IP. Instead, users must create...