DigitalOcean Private Networking FAQ
Beginning in May of 2018, communication over DigitalOcean Private Network IPs will be isolated within the account or team where they were created. For most users, this security enhancement requires no action. All Droplets that were provisioned with Private Networking will continue to be able to communicate with the other Droplets within the same account or team.
However, if you have Droplets that communicate over private IPs with Droplets that belong to a different team or account, they will no longer be able to reach each other through the private IPs.
Combining Private Networking isolation with Cloud Firewalls, Let's Encrypt SSL Certificates for Load Balancers (coming soon), SSH keys, and 2FA, provides the security you need to build scalable, robust, and secure production environments.
Frequently Asked Questions
What should I do if I'm communicating with other teams or accounts over the private network?
Once this change is in place, your Droplets won't be able to reach Droplets outside your account over the Private Network.
For example, let's say a user manages 2 accounts, Acme Inc and Beta Inc, and each has 2 Droplets in the same region. Acme uses private IPs 192.0.2.100 and 192.0.2.101. Beta uses 192.0.2.120 and 192.0.2.121. Acme's Droplet 192.0.2.100 (running a PHP application) currently reaches out to 192.0.2.120 (a MySQL database on Beta's account) over the private network.
Since these two Droplets are owned by different accounts, once this improvement is in place, they won't be able to reach each other over the private network: Acme-owned Droplets won't be able to access Beta's private IP addresses and vice-versa.
This user has a few option to adjust their deployment:
- They can move the MySQL Droplet from the Beta account to the Acme account. This can be achieved with Droplet Snapshots or with your favorite config management tool.
- They can create a new Droplet under the Acme account for MySQL and replace the old IP address with the new one. Data transfers could be done by backup/restore of the database.
- They could replace the private IPs with the public IPs of Beta Droplet they are trying to reach. This might require some application reconfiguration and we strongly suggest using some type of firewall, like our managed and free Cloud Firewall, to restrict connections between those two Droplets. In this case, even though the connection is done over the public IP, it doesn't mean that the data will leave our data centers. The traffic will never leave our region border router.
- Similar to the previous solution but recommended for those looking for extra security, they could setup a VPN between both accounts, creating a virtual private network between them. This would encapsulate the traffic and make sure it's encrypted end-to-end. We have several tutorials on the subject.
What will change?
Private network communication will be restricted to resources inside a single account, increasing its security.
When will this change take place?
We changed dates a few times and we don't have a firm date yet. We will notify users on the affected data centers by email and on the dashboard before enabling the isolation.
Do I need to do anything if I don't use the private network to communicate with other accounts?
No, nothing will change for you. No action is required.
Will this change affect communication across regions?
No, since it only affects Private Networks and they are restricted to a single region, this won't have any effect on cross region communication.