From what I understand, ExternalNetworkAttachForbidden is raised when a user tries to create an instance directly attached to an external network and that is forbidden.
I found two places in the code where this exception is caught:
1) https://opendev.org/openstack/nova/src/branch/master/nova/api/openstack/compute/servers.py#L813 server create API call
2) https://opendev.org/openstack/nova/src/branch/master/nova/compute/manager.py#L2656 instance build on compute node
Tested on my Ussuri environment, this is caught only at 2), when the instance is being built on the compute node, which means the instance ends up in ERROR state with a fault looking like this:
{'code': 500, 'created': '2023-04-04T11:41:55Z', 'message': 'Build of instance 616d6611-133b-4ebd-947f-f0b0eee7aa0f aborted: Failed to allocate the network(s), not rescheduling.', 'details': 'Traceback (most recent call last):\n File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 2467, in _build_and_run_instance\n self.driver.spawn(context, instance, image_meta,\n File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 3738, in spawn\n xml = self._get_guest_xml(context, instance, network_info,\n File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 6486, in _get_guest_xml\n network_info_str = str(network_info)\n File "/usr/lib/python3/dist-packages/nova/network/model.py", line 616, in __str__\n return self._sync_wrapper(fn, *args, **kwargs)\n File "/usr/lib/python3/dist-packages/nova/network/model.py", line 599, in _sync_wrapper\n self.wait()\n File "/usr/lib/python3/dist-packages/nova/network/model.py", line 631, in wait\n self[:] = self._gt.wait()\n File "/usr/lib/python3/dist-packages/eventlet/greenthread.py", line 181, in wait\n return self._exit_event.wait()\n File "/usr/lib/python3/dist-packages/eventlet/event.py", line 132, in wait\n current.throw(*self._exc)\n File "/usr/lib/python3/dist-packages/eventlet/greenthread.py", line 221, in main\n result = function(*args, **kwargs)\n File "/usr/lib/python3/dist-packages/nova/utils.py", line 676, in context_wrapper\n return func(*args, **kwargs)\n File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 1842, in _allocate_network_async\n six.reraise(*exc_info)\n File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise\n raise value\n File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 1820, in _allocate_network_async\n nwinfo = self.network_api.allocate_for_instance(\n File "/usr/lib/python3/dist-packages/nova/network/neutron.py", line 1069, in allocate_for_instance\n nets = self._validate_requested_network_ids(\n File "/usr/lib/python3/dist-packages/nova/network/neutron.py", line 948, in _validate_requested_network_ids\n self._check_external_network_attach(context, nets)\n File "/usr/lib/python3/dist-packages/nova/network/neutron.py", line 615, in _check_external_network_attach\n raise exception.ExternalNetworkAttachForbidden(\nnova.exception.ExternalNetworkAttachForbidden: It is not allowed to create an interface on external network c865e91b-83a4-4954-a421-8d4792179b3c\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 2290, in _do_build_and_run_instance\n self._build_and_run_instance(context, instance, image,\n File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 2536, in _build_and_run_instance\n raise exception.BuildAbortException(instance_uuid=instance.uuid,\nnova.exception.BuildAbortException: Build of instance 616d6611-133b-4ebd-947f-f0b0eee7aa0f aborted: Failed to allocate the network(s), not rescheduling.\n'}
If it was caught at 1), which looks like is what is/was initially intended?, I expect the error would be reported to the user much earlier, directly as a response to the server create API call?
Yes, you are correct. The https:/