I assume the most common case: You are using tenant networks. This means that instances are attached to Neutron's virtual networks. These virtual networks are then attached to a router, which connects them to a Neutron external network. This external network corresponds to a physical network or VLAN in the datacenter.

Instances have IP addresses that are normally not accessible from outside. To access an instance from outside, you associate a floating IP with it. This is an address from the physical network to which the cloud is connected. The above-mentioned router performs DNAT to translate the floating IP to the instance's internal address.

If the physical network is an intranet, the floating IP is obviously an intranet address. If you also want this instance to be accessible from the internet, you will have to put a mechanism in place to translate an internet address to the floating IP. This is done outside of the cloud.

You can't access the instance via its internal IP because there is no route to it. Which is the usual case, as said above. In order to help you create a route, I would have to know details of your physical networking and of the Neutron networking configuration. Since I am far from being a networking expert, it is likely that you will have to talk to somebody else though.