diff --git a/content/cloud/advanced-features/images/network1.png b/content/cloud/advanced-features/images/network1.png
new file mode 100644
index 0000000000000000000000000000000000000000..3e3746b0d024a865390c3b5dd57791744ef20f3c
Binary files /dev/null and b/content/cloud/advanced-features/images/network1.png differ
diff --git a/content/cloud/advanced-features/images/network2.png b/content/cloud/advanced-features/images/network2.png
new file mode 100644
index 0000000000000000000000000000000000000000..9c141096f39dd3049c736f939c07ce0efab7958c
Binary files /dev/null and b/content/cloud/advanced-features/images/network2.png differ
diff --git a/content/cloud/advanced-features/images/network3.png b/content/cloud/advanced-features/images/network3.png
new file mode 100644
index 0000000000000000000000000000000000000000..a5ba9bca33be5534a45eb279cb22a641228dc1cf
Binary files /dev/null and b/content/cloud/advanced-features/images/network3.png differ
diff --git a/content/cloud/advanced-features/images/network4.png b/content/cloud/advanced-features/images/network4.png
new file mode 100644
index 0000000000000000000000000000000000000000..292859a29c2407197ae6b3fd355b94427b813308
Binary files /dev/null and b/content/cloud/advanced-features/images/network4.png differ
diff --git a/content/cloud/advanced-features/images/network5.png b/content/cloud/advanced-features/images/network5.png
new file mode 100644
index 0000000000000000000000000000000000000000..1c32ea66b3efc41e5165d294928a4b732a1e5d97
Binary files /dev/null and b/content/cloud/advanced-features/images/network5.png differ
diff --git a/content/cloud/advanced-features/images/router1.png b/content/cloud/advanced-features/images/router1.png
new file mode 100644
index 0000000000000000000000000000000000000000..5b07a88a0818caae845ed8cd85c2dd15d27119e9
Binary files /dev/null and b/content/cloud/advanced-features/images/router1.png differ
diff --git a/content/cloud/advanced-features/images/router2.png b/content/cloud/advanced-features/images/router2.png
new file mode 100644
index 0000000000000000000000000000000000000000..0691a18aa9109ecd28b628cd6b19e26d1120648c
Binary files /dev/null and b/content/cloud/advanced-features/images/router2.png differ
diff --git a/content/cloud/advanced-features/images/router3.png b/content/cloud/advanced-features/images/router3.png
new file mode 100644
index 0000000000000000000000000000000000000000..083437b5d533d0549b5609d1977efcd5df44777f
Binary files /dev/null and b/content/cloud/advanced-features/images/router3.png differ
diff --git a/content/cloud/advanced-features/images/router4.png b/content/cloud/advanced-features/images/router4.png
new file mode 100644
index 0000000000000000000000000000000000000000..550bf54c3466bc7a82890be5318ed88f33600d7b
Binary files /dev/null and b/content/cloud/advanced-features/images/router4.png differ
diff --git a/content/cloud/advanced-features/images/router5.png b/content/cloud/advanced-features/images/router5.png
new file mode 100644
index 0000000000000000000000000000000000000000..f0ffdcb25dc098decd4226d67c23fb508c56f6a9
Binary files /dev/null and b/content/cloud/advanced-features/images/router5.png differ
diff --git a/content/cloud/advanced-features/images/router6.png b/content/cloud/advanced-features/images/router6.png
new file mode 100644
index 0000000000000000000000000000000000000000..3769848b15f6fdd10e47b01fb23695c5ff336bce
Binary files /dev/null and b/content/cloud/advanced-features/images/router6.png differ
diff --git a/content/cloud/advanced-features/index.md b/content/cloud/advanced-features/index.md
new file mode 100644
index 0000000000000000000000000000000000000000..e4a5b29fedd442d26650cfe19addff09ecdf433d
--- /dev/null
+++ b/content/cloud/advanced-features/index.md
@@ -0,0 +1,326 @@
+---
+title: "Advanced Features"
+date: 2021-05-18T11:22:35+02:00
+draft: false
+---
+
+
+The following guide will introduce you to advanced features available in MetaCentrum Cloud.
+For basic instructions on how to start a virtual machine instance, see [Quick Start](/quick-start/README.md).
+
+
+## Orchestration
+
+The OpenStack orchestration service can be used to deploy and manage complex virtual topologies as single entities,
+including basic auto-scaling and self-healing.
+
+**This feature is provided as is and configuration is entirely the responsibility of the user.**
+
+For details, refer to [the official documentation](https://docs.openstack.org/heat-dashboard/train/user/index.html).
+
+## Image upload
+
+We don't support uploading own images by default. MetaCentrum Cloud images are optimized for running in the cloud and we recommend users
+to customize them instead of building own images from scratch. If you need upload custom image, please contact user support for appropriate permissions.
+
+Instructions for uploading custom image:
+
+1. Upload only images in RAW format (not qcow2, vmdk, etc.).
+
+2. Upload is supported only through OpenStack [CLI](https://cloud.gitlab-pages.ics.muni.cz/documentation/cli/) with Application Credentials.
+
+3. Each image needs to contain metadata:
+```
+hw_scsi_model=virtio-scsi
+hw_disk_bus=scsi
+hw_rng_model=virtio
+hw_qemu_guest_agent=yes
+os_require_quiesce=yes
+```
+Following needs to be setup correctly (consult official [documentation](https://docs.openstack.org/glance/train/admin/useful-image-properties.html#image-property-keys-and-values))
+or instances won't start:
+```
+os_type=linux # example
+os_distro=ubuntu # example
+```
+
+4. Images should contain cloud-init, qemu-guest-agent and grow-part tools
+
+5. OpenStack will resize instance after start. Image shouldn't contain any empty partitions or free space
+
+For mor detailed explanation about CLI work with images, please refer to [https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/image.html](https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/image.html).
+
+
+
+## Image visibility
+In OpenStack there are 4 possible visibilities of particular image: **public, private, shared, community**.
+
+### 1. Public image
+
+ **Public image** is an image visible to everyone and everyone can access it.
+
+### 2. Private image
+
+ **Private image** is an image visible to only to owner of that image. This is default setting for all newly created images.
+
+### 3. Shared image
+
+ **Shared image** is an image visible to only to owner and possibly certain groups that owner specified. How to share an image between project, please read following [tutorial](/gui/#image-sharing-between-projects) below.
+
+### 4. Community image
+ **Community image** is an image that is accesible to everyone, however it is not visible in dashboard. These images can be listed in CLI via command:
+
+ ```openstack image list --community```.
+
+ This is especially beneficial in case of great number of users who should get access to this image or if you own image that is old but some users might still require that image. In that case you can make set old image and **Community image** and set new one as default.
+
+ <div style="border-width:0;border-left:5px solid #b8d6f4;background-color:rgba(255,0,0,0.3);margin:20px 0;padding:10px 20px;font-size:15px;">
+ <strong>WARNING:</strong><br/><br/>
+ To create or upload this image you must have an <b>image_uploader</b> right.
+ </div>
+
+ Creating a new **Community image** can look like this:
+
+ ```openstack image create --file test-cirros.raw --property hw_scsi_model=virtio-scsi --property hw_disk_bus=scsi --property hw_rng_model=virtio --property hw_qemu_guest_agent=yes --property os_require_quiesce=yes --property os_type=linux --community test-cirros```
+
+
+For more detailed explanation about these properties, go to the following link: [https://wiki.openstack.org/wiki/Glance-v2-community-image-visibility-design](https://wiki.openstack.org/wiki/Glance-v2-community-image-visibility-design).
+
+## Image sharing between projects
+Image sharing allows you to share your image between different projects and then it is possible to launch instances from that image in those projects with other collaborators etc. As mentioned in section about CLI, you will need to use your OpenStack credentials from ```openrc``` or ```cloud.yaml``` file.
+
+Then to share an image you need to know it's ID, which you can find with command:
+```
+openstack image show <name_of_image>
+```
+where ```name_of_image``` is name of image you want to share.
+
+
+After that you will also have to know ID of project you want to share your image with. If you do not know ID of that project you can use following command, which can help you find it:
+```
+openstack project list | grep <name_of_other_project>
+```
+where ```<name_of_project>``` is name of other project. It's ID will show up in first column.
+
+Now all with necessary IDs you can now share your image. First you need to set an attribute of image to `shared` by following command:
+```
+openstack image set --shared <image_ID>
+```
+And now you can share it with your project by typing this command:
+```
+openstack image add project <image_ID> <ID_of_other_project>
+```
+where ```ID_of_other_project``` is ID of project you want to share image with.
+
+Now you can check if user of other project accepted your image by command:
+```
+openstack image member list <image_ID>
+```
+If the other user did not accepted your image yet, status column will contain value: ```pending```.
+
+**Accepting shared image**
+
+To accept shared image you need to know ```<image_ID>``` of image that other person wants to share with you. To accept shared image to your project
+you need to use following command:
+```
+openstack image set --accept <image_ID>
+```
+You can then verify that by listing your images:
+```
+openstack image list | grep <image_ID>
+```
+**Unshare shared image**
+
+As owner of the shared image, you can check all projects that have access to the shared image by following command:
+```
+openstack image member list <image_ID>
+```
+When you find ```<ID_project_to_unshare>``` of project, you can cancel access of that project to shared image by command:
+```
+openstack image remove project <image ID> <ID_project_to_unshare>
+```
+
+## Add SWAP file to instance
+
+By default VMs after creation do not have SWAP partition. If you need to add a SWAP file to your system you can download and run [script](https://gitlab.ics.muni.cz/cloud/cloud-tools/-/blob/master/swap/swap.sh) that create SWAP file on your VM.
+
+## Local SSDs
+
+Default MetaCentrum Cloud storage is implemented via CEPH storage cluster deployed on top of HDDs. This configuration should be sufficient for most cases.
+For instances, that requires high throughput and IOPS, it is possible to utilize hypervizor local SSDs. Requirements for instances on hypervizor local SSD:
+* instances can be deployed only via API (CLI, Ansible, Terraform ...), instances deployed via web gui (Horizon) will always use CEPH for it's storage
+* supported only by flavors with ssd-ephem suffix (e.g. hpc.4core-16ram-ssd-ephem)
+* instances can be rebooted without prior notice or you can be required to delete them
+* you can request them, when asking for new project, or for existing project on cloud@metacentrum.cz
+
+## Affinity policy
+
+Affinity policy is a tool users can use to deploy nodes of cluster on same physical machine or if they should be spread among other physical machines. This can be beneficial if you need fast communication between nodes or you need them to be spreaded due to load-balancing or high-availability etc. For more info please refer to [https://docs.openstack.org/senlin/train/scenarios/affinity.html](https://docs.openstack.org/senlin/train/scenarios/affinity.html).
+
+## LBaaS - OpenStack Octavia
+
+Load Balancer is a tool used for distributing a set of tasks over particular set of resources. Its main goal is to find an optimal use of resources and make processing of particular tasks more efficient.
+
+In following example you can see how basic HTTP server is deployed via CLI.
+
+**Requirements**:
+
+- 2 instances connected to same internal subnet and configured with HTTP application on TCP port 80
+
+
+```
+openstack loadbalancer create --name my_lb --vip-subnet-id <external_subnet_ID>
+```
+where **<external_subnet_ID>** is an ID of external shared subnet created by cloud admins reachable from Internet.
+
+You can check newly created Load Balancer by running following command:
+
+```
+openstack loadbalancer show my_lb
+```
+Now you must create listener on port 80 to enable incoming traffic by following command:
+
+```
+openstack loadbalancer listener create --name listener_http --protocol HTTP --protocol-port 80 my_lb
+```
+
+Now you must add a pool on created listener to setup configuration for Load Balancer. You can do it by following command:
+
+```
+openstack loadbalancer pool create --name pool_http --lb-algorithm ROUND_ROBIN --listener listener_http --protocol HTTP
+```
+Here you created pool using Round Robin algorithm for load balancing.
+
+And now you must configure both nodes to join to Load Balancer:
+
+```
+openstack loadbalancer member create --subnet-id <internal_subnet_ID> --address 192.168.50.15 --protocol-port 80 pool_http
+openstack loadbalancer member create --subnet-id <internal_subnet_ID> --address 192.168.50.16 --protocol-port 80 pool_http
+```
+where **<internal_subnet_ID>** is an ID of internal subnet used by your instances and **--address** specifies an adress of concrete instance.
+
+For more info, please refer to [https://docs.openstack.org/octavia/train/user/guides/basic-cookbook.html#basic-lb-with-hm-and-fip](https://docs.openstack.org/octavia/train/user/guides/basic-cookbook.html#basic-lb-with-hm-and-fip).
+
+LBaaS (Load Balancer as a service) provides user with load balancing service, that can be fully managed via OpenStack API (some basic tasks are supported by GUI). Core benefits:
+* creation and management of load balancer resources can be easily automatized via API, or existing tools like Ansible or Terraform
+* applications can be easily scaled by starting up more OpenStack instances and registering them into the load balancer
+* public IPv4 addresses saving - you can deploy one load balancer with one public IP and serve multiple services on multiple pools of instances by TCP/UDP port or L7 policies
+
+**This feature is provided as is and configuration is entirely the responsibility of the user.**
+
+Official documentation for LBaaS (Octavia) service - https://docs.openstack.org/octavia/latest/user/index.html
+
+##Cloud orchestration tools
+
+### Terraform
+
+Terraform is the best orchestration tool for creating and managing cloud infrastructure. It is capable of greatly simplifying cloud operations. It gives you an option if something goes goes wrong you can easily rebuild your cloud infrastructure.
+
+It manages resources like virtual machines,DNS records etc..
+
+It is managed through configuration templates containing info about its tasks and resources. They are saved as *.tf files. If configuration changes, Terraform is to able to detect it and create additional operations in order to apply those changes.
+
+Here is an example how this configuration file can look like:
+
+```
+variable "image" {
+default = "Debian 10"
+}
+
+variable "flavor" {
+default = "standard.small"
+}
+
+variable "ssh_key_file" {
+default = "~/.ssh/id_rsa"
+}
+```
+
+ You can use OpenStack Provider which is tool for managing resources OpenStack supports via Terraform. Terraform has an advantage over Heat because it can be used als in other architectures, not only in OpenStack
+
+
+For more detail please refer to [https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs) and [https://www.terraform.io/intro/index.html](https://www.terraform.io/intro/index.html).
+
+
+### Heat
+Heat is another orchestration tool used for managing cloud resources. This one is OpenStack exclusive so you can't use it anywhere else. Just like Terraform it is capable of simplifying orchestration operations in your cloud infrastructure.
+
+It also uses configuration templates for specification of information about resources and tasks. You can manage resources like servers, floating ips, volumes, security groups etc. via Heat.
+
+Here is an example of Heat configuration template in form of *.yaml file:
+
+
+```
+heat_template_version: 2021-04-06
+
+description: Test template
+
+resources:
+ my_instance:
+ type: OS::Nova::Server
+ properties:
+ key_name: id_rsa
+ image: Debian10_image
+ flavor: standard.small
+```
+
+You can find more information here [https://wiki.openstack.org/wiki/Heat](https://wiki.openstack.org/wiki/Heat).
+
+##Object storage management
+
+OpenStack supports object storage based on [OpenStack Swift](https://docs.openstack.org/swift/latest/api/object_api_v1_overview.html). Creation of object storage container (database) is done by clicking on `+Container` on [Object storage containers page](https://dashboard.cloud.muni.cz/project/containers).
+
+Every object typically contains data along with metadata and unique global identifier to access it. OpenStack allows you to upload your files via HTTPs protocol. There are two ways managing created object storage container:
+
+1. Use OpenStack component [Swift](https://docs.openstack.org/swift/train/admin/index.html)
+
+2. Use [S3 API](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html)
+
+In both cases you will need application credentials to be able to manage your data.
+
+
+### Swift credentials
+
+The easiest way to generate **Swift** storage credentials is through [MetaCentrum cloud dashboard](https://dashboard.cloud.muni.cz). You can generate application credentials as described [here](/cli/#getting-credentials). You must have role **heat_stack_owner**.
+
+### S3 credentials
+
+If you want to use **S3 API** you will need to generate ec2 credentials for access. Note that to generate ec2 credentials you will also need credentials containing role of **heat_stack_owner**. Once you sourced your credentials for CLI you can generate ec2 credentials by following command:
+
+```
+$ openstack ec2 credentials create
++------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+| Field | Value |
++------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+| access | 896**************************651 |
+| project_id | f0c**************************508 |
+| secret | 336**************************49c |
+...
+| user_id | e65***********************************************************6a |
++------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+
+```
+Then you will obtain S3 credentials. There is also a possibility that you can encouter following problem while working with S3:
+
+Then you may use one of the s3 clients (minio client mc, s3cmd, ...)
+Running minio client against created object storage container is very easy:
+
+```
+$ MC config host add swift-s3 https://object-store.cloud.muni.cz 896**************************651 336**************************49c --api S3v2
+Added `swift-s3` successfully.
+
+$ MC ls swift-s3
+[2021-04-19 15:13:45 CEST] 0B freznicek-test/
+```
+s3cmd client requires configuration file which looks like:
+In this case please open your file with credentials which will look like this:
+```
+default]
+access_key = 896**************************651
+secret_key = 336**************************49c
+host_base = object-store.cloud.muni.cz
+host_bucket = object-store.cloud.muni.cz
+use_https = True
+```
+
+For more info please refer to [https://docs.openstack.org/swift/latest/s3_compat.html](https://docs.openstack.org/swift/latest/s3_compat.html) and [https://docs.openstack.org/train/config-reference/object-storage/configure-s3.html](https://docs.openstack.org/train/config-reference/object-storage/configure-s3.html).
diff --git a/content/cloud/faq/index.md b/content/cloud/faq/index.md
new file mode 100644
index 0000000000000000000000000000000000000000..26a0d7b5ae257f77b7fec6235e13c6286b7dd80b
--- /dev/null
+++ b/content/cloud/faq/index.md
@@ -0,0 +1,75 @@
+---
+title: "Frequently Asked Questions"
+date: 2021-05-18T11:22:35+02:00
+draft: false
+---
+
+
+## Where I can find how to use MetaCentrum Cloud effectively?
+Read our [cloud best-practice tips](/register/README.md).
+
+## What to expect from the cloud and cloud computing
+
+[Migration of Legacy Systems to Cloud Computing](https://www.researchgate.net/publication/280154501_Migration_of_Legacy_Systems_to_Cloud_Computing) article gives the overwiew what to expect when joining a cloud with personal legacy application.
+
+### What are the cloud computing benefits?
+
+The most visible [cloud computing](https://en.wikipedia.org/wiki/Cloud_computing) benefits are:
+ * cost savings
+ * online access to the cloud resources for everyone authorized
+ * cloud project scalability (elasticity)
+ * online cloud resource management and improved sustainability
+ * security and privacy improvements
+ * encouraged cloud project agility
+
+## How do I register?
+Follow instructions for registering in [MetaCentrum Cloud](/register/README.md).
+
+## How do I migrate from legacy platforms?
+Follow instructions for [migrating from CESNET-MetaCloud or OStack ICS MUNI](/migrate/README.md).
+
+## Where do I report a problem?
+First, try searching the documentation for an answer to your problem. If that does not yield results, open a
+ticket with [cloud@metacentrum.cz](mailto:cloud@metacentrum.cz). When contacting user support, always
+include your *username* (upper right corner of the web interface) and *domain* with
+active *project* (upper left corner of the web interface) as well as a description of
+your problem and/or an error message if available.
+
+## What networks I can use to access my instances?
+Personal projects can allocate floating IPs from *public-muni-147-251-124* and *private-muni-10-16-116*.
+Group projects can currently allocate floating IPs from *public-cesnet-78-128-251* and *private-muni-10-16-116*.
+IP addresses from *public-muni-147-251-124* allocated by users to group projects are released daily, so we encourage
+using only *public-cesnet-78-128-251* and *private-muni-10-16-116* for group projects.
+Follow instructions at [changing the external network](/network/README.md) in order to change your public network.
+
+## Issues with network stability in Docker
+OpenStack instances use 1442 bytes MTU (maximum transmission unit) instead of standard 1500 bytes MTU. Instance itself is
+able to setup correct MTU with its counterpart via Path MTU Discovery. Docker needs MTU setup explicitly. Refer documentation for setting up
+1442 MTU in [Docker](https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/) or
+[Kubernetes](https://docs.projectcalico.org/v3.5/usage/configuration/mtu).
+
+## Issues with proxy in private networks
+OpenStack instances can either use public or private networks. If you are using a private network and you need to access to the internet for updates etc.,
+you can use muni proxy server *proxy.ics.muni.cz*. This server only supports HTTP protocol, not HTTPS. To configure it you must also consider what applications
+will be using it, because they can have their own configuration files, where this information must be set. If so, you must find particular setting and set up there
+mentioned proxy server with port 3128. Mostly applications use following setting, which can be done by editing file `/etc/environment` where you need to add a line
+`http_proxy="http://proxy.ics.muni.cz:3128/"`. And then you must either restart your machine or use command `source /etc/environment`.
+
+## How many floating IPs does my group project need?
+One floating IP per project should generally suffice. All OpenStack instances are deployed on top of internal OpenStack networks. These internal networks are not by default accessible from outside of OpenStack, but instances on top of same internal network can communicate with each other.
+
+To access internet from an instance, or access instance from the internet, you could allocate floating public IP per instance. Since there are not many public IP addresses available and assigning public IP to every instance is not security best practise, both in public and private clouds these two concepts are used:
+* **internet access is provided by virtual router** - all new OpenStack projects are created with *group-project-network* internal network connected to virtual router with public IP as a gateway. Every instance created with *group-project-network* can access internet through NAT provided by it's router by default.
+* **accessing the instances:**
+ * **I need to access instances by myself** - best practice for accessing your instances is creating one server with floating IP called [jump host](https://en.wikipedia.org/wiki/Jump_server) and then access all other instances through this host. Simple setup:
+ 1. Create instance with any Linux.
+ 2. Associate floating IP with this instance.
+ 3. Install [sshuttle](https://github.com/sshuttle/sshuttle) on your client.
+ 4. `sshuttle -r root@jump_host_fip 192.168.0.1/24`. All your traffic to internal OpenStack network *192.168.0.1/24* is now tunneled through jump host.
+ * **I need to serve content (e.g. webservice) to other users** - public and private clouds provide LBaaS (Load-Balancer-as-a-Service) service, which proxies users traffic to instances. MetaCentrum Cloud provides this service in experimental mode - [documentation](/gui/README.md/#lbaas)
+
+In case, that these options are not suitable for you usecase, you can still request multiple floating IPs.
+
+## I can't log into openstack, how is that possible ?
+The most common reason why you can't log into your openstack account is because your membership in Metacentrum has expired. To extend your membership in Metacentrum,
+you can visit [https://metavo.metacentrum.cz/en/myaccount/prodlouzeni](https://metavo.metacentrum.cz/en/myaccount/prodlouzeni).
\ No newline at end of file
diff --git a/content/cloud/network/images/1.png b/content/cloud/network/images/1.png
new file mode 100644
index 0000000000000000000000000000000000000000..4e53c938bdd86c9b569d9b2e1ee809abb44d6a43
Binary files /dev/null and b/content/cloud/network/images/1.png differ
diff --git a/content/cloud/network/images/2.png b/content/cloud/network/images/2.png
new file mode 100644
index 0000000000000000000000000000000000000000..39ed8d445cf69cd4e92748c4a600ec63921dc1ef
Binary files /dev/null and b/content/cloud/network/images/2.png differ
diff --git a/content/cloud/network/images/3.png b/content/cloud/network/images/3.png
new file mode 100644
index 0000000000000000000000000000000000000000..642c88fa19e3cac3a9a3efa07ad304ae3efffe88
Binary files /dev/null and b/content/cloud/network/images/3.png differ
diff --git a/content/cloud/network/images/4.png b/content/cloud/network/images/4.png
new file mode 100644
index 0000000000000000000000000000000000000000..e2cc785a2fddf048141b7a155cc6abf387c217fe
Binary files /dev/null and b/content/cloud/network/images/4.png differ
diff --git a/content/cloud/network/images/5.png b/content/cloud/network/images/5.png
new file mode 100644
index 0000000000000000000000000000000000000000..a72895d12e9572ef506cb463d93bc1956a7acbfe
Binary files /dev/null and b/content/cloud/network/images/5.png differ
diff --git a/content/cloud/network/images/allocate-fip.png b/content/cloud/network/images/allocate-fip.png
new file mode 100644
index 0000000000000000000000000000000000000000..235d61f941dc15044757ce47876458f6d4b1bcce
Binary files /dev/null and b/content/cloud/network/images/allocate-fip.png differ
diff --git a/content/cloud/network/images/associate-fip.png b/content/cloud/network/images/associate-fip.png
new file mode 100644
index 0000000000000000000000000000000000000000..06fac3b11563b61081199125aab8e159f43fb1ed
Binary files /dev/null and b/content/cloud/network/images/associate-fip.png differ
diff --git a/content/cloud/network/images/clear-router1.png b/content/cloud/network/images/clear-router1.png
new file mode 100644
index 0000000000000000000000000000000000000000..67e78c2560fe455e702564a42603a499660d33f8
Binary files /dev/null and b/content/cloud/network/images/clear-router1.png differ
diff --git a/content/cloud/network/images/f1.png b/content/cloud/network/images/f1.png
new file mode 100644
index 0000000000000000000000000000000000000000..02d922209ce3433c8bb69ee951fc742f6bd70e30
Binary files /dev/null and b/content/cloud/network/images/f1.png differ
diff --git a/content/cloud/network/images/instance1.png b/content/cloud/network/images/instance1.png
new file mode 100644
index 0000000000000000000000000000000000000000..679897f15aecae7790385df92da5e51fd047efe4
Binary files /dev/null and b/content/cloud/network/images/instance1.png differ
diff --git a/content/cloud/network/images/network_floating_ip.png b/content/cloud/network/images/network_floating_ip.png
new file mode 100644
index 0000000000000000000000000000000000000000..a10c47ac9c4756ba9b108f6ab19ecb48d8db4c04
Binary files /dev/null and b/content/cloud/network/images/network_floating_ip.png differ
diff --git a/content/cloud/network/images/network_routers-group.png b/content/cloud/network/images/network_routers-group.png
new file mode 100644
index 0000000000000000000000000000000000000000..26b7c5056107945f238267464719e80e31e282cd
Binary files /dev/null and b/content/cloud/network/images/network_routers-group.png differ
diff --git a/content/cloud/network/images/r1.png b/content/cloud/network/images/r1.png
new file mode 100644
index 0000000000000000000000000000000000000000..8dd8f6f11b7bd8ba6c86008760456b9d49586e08
Binary files /dev/null and b/content/cloud/network/images/r1.png differ
diff --git a/content/cloud/network/images/r2.png b/content/cloud/network/images/r2.png
new file mode 100644
index 0000000000000000000000000000000000000000..6d99c99a1d6181592e1f19933278d7095e5ad785
Binary files /dev/null and b/content/cloud/network/images/r2.png differ
diff --git a/content/cloud/network/images/r3.png b/content/cloud/network/images/r3.png
new file mode 100644
index 0000000000000000000000000000000000000000..116dc67ac63e4e9c49926483cad1dccfe3de96a8
Binary files /dev/null and b/content/cloud/network/images/r3.png differ
diff --git a/content/cloud/network/images/set-router1.png b/content/cloud/network/images/set-router1.png
new file mode 100644
index 0000000000000000000000000000000000000000..54f2444a9b9f54889c8df68f91178845a58c5b47
Binary files /dev/null and b/content/cloud/network/images/set-router1.png differ
diff --git a/content/cloud/network/images/set-router2.png b/content/cloud/network/images/set-router2.png
new file mode 100644
index 0000000000000000000000000000000000000000..1061b87900c31be8f709577591bc2a4d091d6950
Binary files /dev/null and b/content/cloud/network/images/set-router2.png differ
diff --git a/content/cloud/network/index.md b/content/cloud/network/index.md
new file mode 100644
index 0000000000000000000000000000000000000000..2a0c296ec481b13d80e7151f094cba88b79584a0
--- /dev/null
+++ b/content/cloud/network/index.md
@@ -0,0 +1,213 @@
+---
+title: "Networking"
+date: 2021-05-18T11:22:35+02:00
+draft: false
+---
+
+
+
+For the networking in Cloud2 metacentrum we need to distinguish following scenarios
+* personal project
+* group project.
+
+
+{{< hint danger >}}
+**WARNING:**
+ Please read the following rules:
+
+ 1. If you are using a <a href="https://cloud.gitlab-pages.ics.muni.cz/documentation/register/#personal-project">PERSONAL</a> project you have to use the `78-128-250-pers-proj-net` network to make your instance accesible from external network (e.g. Internet). Use `public-cesnet-78-128-250-PERSONAL` for FIP allocation, FIPs from this pool will be periodically released.
+ 2. If you are using a <a href="https://cloud.gitlab-pages.ics.muni.cz/documentation/register/#group-project">GROUP</a> project you may choose from the `public-cesnet-78-128-251-GROUP`, `public-muni-147-251-124-GROUP` or any other <a href="https://cloud.gitlab-pages.ics.muni.cz/documentation/register/#group-project">GROUP</a> network for FIP allocation to make your instance accesible from external network (e.g. Internet).
+ 3. Violation of the network usage may lead into resource removal and reducing of the quotas assigned.
+{{< /hint >}}
+
+
+## Networking in the personal vs. group projects
+
+### Personal Project networking
+
+Is currently limited to the common internal network. The network in which you should start your machine is called `78-128-250-pers-proj-net` and is selected by default when using dashboard to start a machine (if you do not have another network created). The floating IP adresses you need to access a virtual machine is `public-cesnet-78-128-250-PERSONAL`. Any other allocated floatin IP address and `external gateway` will be deleted. You cannot use router with the personal project and any previously created routers will be deleted.
+
+### Group project
+
+In group project situation is rather different. You cannot use the same approach as personal project (resources allocated in previously mentioned networks will be periodically released). For FIP you need to allocate from pools with `-GROUP` suffix (namely `public-cesnet-78-128-251-GROUP`, `public-muni-147-251-21-GROUP` or `public-muni-147-251-124-GROUP`).
+
+{{< hint info >}}
+**NOTICE**
+
+If you use MUNI account, you can use private-muni-10-16-116 and log into the network via MUNI VPN or you can set up Proxy networking, which is described
+<a href="https://cloud.gitlab-pages.ics.muni.cz/documentation/network/#proxy-networking">here</a>
+{{< /hint >}}
+
+#### Virtual Networks
+
+MetaCentrum Cloud offers software-defined networking as one of its services. Users have the ability to create their own
+networks and subnets, connect them with routers, and set up tiered network topologies.
+
+Prerequisites:
+* Basic understanding of routing
+* Basic understanding of TCP/IP
+
+For details, refer to [the official documentation](https://docs.openstack.org/horizon/train/user/create-networks.html).
+
+
+#### Network creation
+
+For group project you need to create internal network first, you may use autoallocated pool for subnet autocreation.
+Navigate yourself towards **Network > Networks** in the left menu and click on the **Create Network** on the right side of the window. This will start an interactive dialog for network creation.
+
+
+Inside the interactive dialog:
+1. Type in the network name
+
+2. Move to the **Subnet** section either by clicking next or by clicking on the **Subnet** tab. You may choose to enter network range manually (recommended for advanced users in order to not interfere with the public IP address ranges), or select **Allocate Network Address from a pool**. In the **Address pool** section select a `private-192-168`. Select Network mask which suits your needs (`27` as default can hold up to 29 machines, use IP calculator if you are not sure).
+
+3. For the last tab **Subnet Details** just check that a DNS is present and DHCP box is checked, alternatively you can create the allocation pool or specify static routes in here (for advanced users).
+
+
+
+{{< hint danger >}}
+**NOTICE**
+
+If you want to use CLI to create network, please go [here](https://cloud.gitlab-pages.ics.muni.cz/documentation/cli/#create-network)
+{{< /hint >}}
+
+
+#### Proxy networking
+In your OpenStack instances you can you private or public networks. If you use private network and you need to access to the internet for updates etc.,
+you can visit following [link](/faq/#issues-with-proxy-in-private-networks), where it is explained, how to set up Proxy connection.
+
+
+#### Setup Router gateway (Required for Group projects)
+Completing [Create Virtual Machine Instance](/quick-start/#create-virtual-machine-instance) created instance connected
+to software defined network represented by internal network, subnet and router. Router has by default gateway address
+from External Network chosen by cloud administrators. You can change it to any External Network with [GROUP](/register/#group-project) suffix, that
+is visible to you (e.g. **public-muni-147-251-124-GROUP** or **public-cesnet-78-128-251-GROUP**). Usage of External Networks
+with suffix PERSONAL (e.g. **public-cesnet-78-128-250-PERSONAL**) is discouraged. IP addresses from
+PERSONAL segments will be automatically released from Group projects.
+For changing gateway IP address follow these steps:
+
+1. In **Network > Routers**, click the **Set Gateway** button next to router.
+If router exists with another settings, then use button Clear Gateway, confirm Clear Gateway.
+If router isn't set then use button Create router and choose network.
+
+2. From list of External Network choose **public-cesnet-78-128-251-GROUP**, **public-muni-147-251-124-GROUP** or any other [GROUP](/register/#group-project) network you see.
+
+ 
+
+Router is setup with persistent gateway.
+
+#### Router creation
+
+Navigate yourself towards **Network > Routers** in the left menu and click on the **Create Router** on the right side of the window.
+In the interactive dialog:
+1. Enter router name and select external gateway with the `-GROUP` suffix.
+
+
+Now you need to attach your internal network to the router.
+1. Click on the router you just created.
+2. Move to the **Interfaces** tab and click on the **Add interface**.
+
+3. Select a previously created subnet and submit.
+
+
+
+{{< hint info >}}
+**NOTICE**
+
+If you want to use CLI to manage routers, please go [here](https://cloud.gitlab-pages.ics.muni.cz/documentation/cli/#router-management)
+{{< /hint >}}
+
+
+{{< hint info >}}
+**NOTICE**
+
+Routers can also be used to route traffic between internal networks. This is an advanced topic not covered in this guide.
+{{< /hint >}}
+
+
+#### Associate Floating IP
+
+
+{{< hint danger >}}
+**WARNING**
+
+There is a limited number of Floating IP adresses. So please before you ask for more Floating IP address, visit and read <a href="https://cloud.gitlab-pages.ics.muni.cz/documentation/faq/#how-many-floating-ips-does-my-group-project-need">https://cloud.gitlab-pages.ics.muni.cz/documentation/faq/#how-many-floating-ips-does-my-group-project-need</a>.
+{{< /hint >}}
+
+
+
+To make an instance accessible from external networks (e.g., The Internet), a so-called Floating IP Address has to be
+associated with it.
+
+1. In **Project > Network > Floating IPs**, select **Allocate IP to Project**. Pick an IP pool from which to allocate
+ the address. Click on **Allocate IP**.
+
+{{< hint info >}}
+**NOTICE**
+
+In case of group projects when picking an IP pool from which to allocate a floating IP address, please, keep in mind that you have to allocate
+an address in the pool connected to your virtual router.
+{{< /hint >}}
+
+{{< hint danger >}}
+**WARNING**
+Group projects can persistently allocate IPs only from External Network with GROUP suffix (e.g. public-muni-147-251-124-GROUP or public-cesnet-78-128-251-GROUP).
+IPs from External Networks with suffix PERSONAL (e.g. public-cesnet-78-128-250-PERSONAL) will be released automatically.
+{{< /hint >}}
+
+{{< hint info>}}
+**NOTICE**
+Please, keep an eye on the number of allocated IPs in <strong>Project > Network > Floating IPs</strong>. IPs
+remain allocated to you until you explicitly release them in this tab. Detaching an IP from an instance is not sufficient
+and the IP in question will remain allocated to you and consume your Floating IP quota.
+{{< /hint >}}
+
+1. In **Project > Compute > Instances**, select **Associate Floating IP** from the **Actions** drop-down menu for the
+ given instance.
+
+2. Select IP address and click on **Associate**.
+
+ 
+
+{{< hint info >}}
+**NOTICE**
+
+If you want to use CLI to manage FIP, please go <a href="https://cloud.gitlab-pages.ics.muni.cz/documentation/cli/#floating-ip-address-management">here</a>.
+{{< /hint >}}
+
+
+## Change external network in GUI
+
+Following chapter covers the problem of changing the external network via GUI or CLI.
+
+### Existing Floating IP release
+
+First you need to release existing Floating IPs from your instances - go to **Project > Compute > Instances**. Click on the menu **Actions** on the instance you whish to change and **Disassociate Floating IP** and specify that you wish to **Release Floating IP** WARN: After this action your project will no longer be able to use the floating IP address you released. Confirm that you wish to disassociate the floating IP by clicking on the **Disassociate** button. When you are done with all instances connected to your router you may continue with the next step.
+
+
+### Clear Gateway
+
+Now, you should navigate yourself to the **Project > Network > Routers**. Click on the action **Clear Gateway** of your router. This action will disassociate the external network from your router, so your machines will not longer be able to access Internet. If you get an error go back to step 1 and **Disassociate your Floating IPs**.
+
+
+### Set Gateway
+
+1. Now, you can set your gateway by clicking **Set Gateway**.
+
+
+2. Choose network you desire to use (e.g. **public-cesnet-78-128-251**) and confirm.
+
+
+### Allocate new Floating IP(s)
+
+{{< hint danger >}}
+**WARNING**
+New floating IP address for router must be from same network pool which was selected as new gateway.
+{{< /hint >}}
+
+
+1. Go to **Project > Network > Floating IPs** and click on the **Allocate IP to Project** button. Select **Pool** with the same value as the network you chose in the previous step and confirm it by clicking **Allocate IP**
+
+
+2. Now click on the **Associate** button next to the Floating IP you just created. Select **Port to be associated** with desired instance. Confirm with the **Associate** button. Repeat this section for all your machines requiring a Floating IP.
+