OpenStack uses ports to connect cloud instances to networks and corresponding (virtual) network devices like routers.
By default SysEleven Stack port security will be enforced, which means that:
It is possible to change these restrictions using security groups and the port security settings.
For more information about security groups have a look here.
This tutorial shows how to allow an additional subnet to talk to/via a port to be able to communicate via a VPN for example.