This reference explains how network access to guests is achieved when deploying microstack using local access to the guests (normal for a single node deployment).
If the defaults are chosen sunbeam will have setup an external subnet within OpenStack which will be used to allocate floating IPs.
$ openstack subnet show -c allocation_pools -c cidr external-subnet
+------------------+-------------------------+
| Field | Value |
+------------------+-------------------------+
| allocation_pools | 10.20.20.2-10.20.20.254 |
| cidr | 10.20.20.0/24 |
+------------------+-------------------------+
The sunbeam installation adds a route to the machine that will route traffic for this range to the bridge br-ex.
$ sudo ip route
...
10.20.20.0/24 dev br-ex proto kernel scope link src 10.20.20.1
...
In turn br-ex is configured with the first ip from the floating ip cidr (in this case 10.20.20.1), this IP is not included in the allocation range of the external-subnet.
$ sudo ip addr show br-ex
48: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 12:73:07:2f:9c:47 brd ff:ff:ff:ff:ff:ff
inet 10.20.20.1/24 scope global br-ex
valid_lft forever preferred_lft forever
inet6 fe80::1073:7ff:fe2f:9c47/64 scope link
valid_lft forever preferred_lft forever
br-ex is then wired in the normal way with external access through br-ex and tap devices for the guests attached to br-int:
$ sudo openstack-hypervisor.ovs-vsctl show
fbea0320-e3dd-49ca-8406-a15da3bb7347
Bridge br-ex
datapath_type: system
Port patch-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee-to-br-int
Interface patch-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee-to-br-int
type: patch
options: {peer=patch-br-int-to-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee}
Port br-ex
Interface br-ex
type: internal
Bridge br-int
fail_mode: secure
datapath_type: system
Port br-int
Interface br-int
type: internal
Port tap44e1126e-d4
Interface tap44e1126e-d4
Port tap0c44773d-70
Interface tap0c44773d-70
Port patch-br-int-to-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee
Interface patch-br-int-to-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee
type: patch
options: {peer=patch-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee-to-br-int}
ovs_version: "3.1.0"
There is also an iptables rule for the floating ip network to allow egress traffic from the quest.
$ sudo iptables-legacy -t nat -L POSTROUTING -n -v | grep -Ev 'cali|kubernetes'
Chain POSTROUTING (policy ACCEPT 53445 packets, 3302K bytes)
pkts bytes target prot opt in out source destination
26 1896 MASQUERADE all -- * * 10.20.20.0/24 0.0.0.0/0 /* openstack-hypervisor external network rule */