We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Enable DigitalOcean Private Networking on Existing Droplets

UpdatedMarch 14, 2018 99.1k views Networking DigitalOcean Product Documentation

Introduction

DigitalOcean offers shared private networking for Droplets in all data centers at no additional charge. When private networking is enabled as part of creating a Droplet, it is automatically configured. If it's not set up when the Droplet is created, it can be enabled manually.

In this article, we'll explain how to enable and manually configure private networking for Droplets that were created without private networking.

Step One — Powering Down the Droplet

In order to cleanly implement the private networking layer, the Droplet needs to be powered down briefly.

This can be done from the control panel, but since there is a risk of data corruption for servers with high activity or a high volume of write operations, we recommend powering down from the command line.

To do so, we'll connect to the Droplet as root or a user with sudo privileges. Be sure to substitute your information in the command below:

  • ssh sudo-user@your_droplet_ip_address

Once we've logged in, we'll issue the shutdown command:

  • shutdown -h now

After shutting down, we'll use to the control panel to enable private networking.

Step Two — Enabling the Private Network

Once we've shut down the Droplet from the command line, we'll visit the control panel, locate the Droplet and click its name. Next, we'll select the Networking option in the Droplet's side navigation. Then, in the Private network section, we'll click Enable.

Enable private networking button

Note: If you've shut off your Droplet from the command line, you may still need to click the Power off button.

This configures the private network and assigns the private IP address. Once the Private IP address appears, we'll power the Droplet on by sliding the OFF button to ON.

We'll use this information in the next section, where we configure the private networking settings on the Droplet itself.

Step Three — Configuring the Network Interface on the Droplet

Once the Droplet is powered on, we'll re-connect using SSH to configure private networking on the Droplet,

  • ssh sudo-user@your_droplet_ip_address

The configuration settings are specific to the Droplet's operating system, which is displayed in the control panel beneath the Droplet name. Locate the appropriate directions for your Droplet below to continue.

Ubuntu 18.04

Once private networking is enabled and the Droplet is powered back on, the next step is to configure it. To do that, you'll use Netplan to define the network interface using the Droplet's private IP address and the MAC address for the Ethernet interface.

To get the MAC address, use lshw to list the details of your server's network-class hardware:

  • lshw -class network

Locate *-network:1 in the output. The serial value is the MAC address you need:

Output
. . . *-network:1 description: Ethernet controller product: Virtio network device vendor: Red Hat, Inc physical id: 4 bus info: pci@0000:00:04.0 version: 00 width: 32 bits clock: 33MHz capabilities: msix bus_master cap_list rom configuration: driver=virtio-pci latency=0 resources: irq:11 ioport:c0e0(size=32) memory:fd093000-fd093fff memory:fd040000-fd07ffff *-virtio1 DISABLED description: Ethernet interface physical id: 0 bus info: virtio@1 logical name: ens4 serial: ex:am:pl:e3:65:13 . . .

Copy the MAC address, then open the /etc/netplan/50-cloud-init.yaml file for editing. You can learn more abou Netplan and the files in /etc/netplan in this section of What's New in Ubuntu 18.04.

  • sudo nano /etc/netplan/50-cloud-init.yaml

At the bottom of the file, add the following stanza. Replace the addresses value with the private IP address visible in the DigitalOcean Control Panel, and replace the macaddress value with the MAC address you found with lshw.

/etc/netplan/50-cloud-init.yaml
        eth1:
            addresses:
            - 192.0.2.21/16
            match:
                macaddress: ex:am:pl:e3:65:13
            set-name: eth1

Save and close the file.

Errors in your syntax can disrupt your networking and force you to use the DigitalOcean Control Panel console to restore connectivity, so check the file's syntax before you apply the changes.

  • sudo netplan apply --debug

If there's an error in the file, it will be printed to the screen. Once the syntax is correct, the command will return you to the prompt with no output and you can apply your changes:

  • sudo netplan apply

When this command is successful, it doesn't return output. From here, proceed to the final step to verify the configuration.

Ubuntu 16.04

Once private networking is enabled and the Droplet is powered back on, it's ready to be configured. On Ubuntu 16.04, begin by disabling consistent network device naming. This ensures that the eth0 interface will be used for public traffic and the eth1 interface will be used for private traffic.

We'll open the 50-cloudimg-settings.cfg file in an editor with sudo privileges:

  • sudo nano /etc/default/grub.d/50-cloudimg-settings.cfg

We'll edit the GRUB_CMDLINE_LINUX_DEFAULT setting. At the end of the line, within the quotations, we'll add net.ifnames=0. The edited line should look like this:

/etc/default/grub.d/50-cloudimg-settings.cfg
. . .
GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0 net.ifnames=0"
. . .

When we're done, we'll save and close the file, then update GRUB with the new settings:

  • sudo update-grub

When the command returns done, we'll reboot the Droplet:

  • sudo reboot

After the Droplet finishes rebooting, we'll reconnect with SSH, then open the network configuration file, 50-cloud-init.cfg:

  • sudo nano /etc/network/interfaces.d/50-cloud-init.cfg

At the bottom of the file, we'll add a new section. Be sure to substitute the Private IP from on the Droplet's Networking tab in the Private network section, followed by the netmask's value in slash notation:

auto eth1
iface eth1 inet static
        address Droplet_Private_IP/16

Save and close the file then restart networking, which will check the configuration for errors and load the network interface:

  • sudo systemctl restart networking

When this command is successful, it doesn't return output. From here, proceed to the final step to verify the configuration.

Ubuntu 14.04 & Debian

Once a private IP address has been allocated and the Droplet is powered on, it's ready to be configured. On Ubuntu 14.04 or Debian, we'll open the network interfaces file:

  • sudo nano /etc/network/interfaces

We'll add the following section to the bottom of the file, substituting the Private IP displayed on the Droplet's Networking tab for the Droplet_Private_IP highlighted below:

auto eth1
iface eth1 inet static
        address Droplet_Private_IP
        netmask 255.255.0.0     

When we're done, we'll save and close the file, then use ifup to bring up the interface:

  • sudo ifup eth1

When the command successful, it doesn't return output. We'll proceed to the final step to verify the configuration.

CentOS & Fedora

Once a private IP address has been allocated and the Droplet is powered on, it's ready to be configured. On CentOS and Fedora, first, we'll begin by getting the hardware address for eth1 with the ifconfig command.

  • sudo ifconfig -a

The output will vary depending on the distribution:

CentOS 7 and Fedora
Use the value of ether in the eth1 section:

eth1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 12:23:34:45:56:67  txqueuelen 1000  (Ethernet)
. . .

CentOS 6
Use the value of HWaddr in the eth1 section:

eth1      Link encap:Ethernet  HWaddr 12:23:34:45:56:67
          BROADCAST MULTICAST  MTU:1500  Metric:1
. . .

Next, we will open a new file in the interface configuration directory:

  • sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1

Here, we'll enter the content below, substituting the values for the specific Droplet. HWADDR is the value from the ifconfig output, while the IPADDR value is displayed on the Droplet's Networking tab in the Private network section.

DEVICE="eth1"
HWADDR=info_from_ifconfig
IPADDR=Droplet_Private_IP
BOOTPROTO=none
ONBOOT="yes"
NETMASK=255.255.0.0
NM_CONTROLLED="yes"
IPV6INIT="no"
DEFROUTE="no"

When we're done, we'll press ESC, type :x, then press ENTER to save and exit the file.

We'll use the ifup to bring up the network interface we just defined:

  • ifup eth1

When the command successful, it doesn't return output. We'll proceed to the final step to verify the configuration.

FreeBSD

From the Droplet's command line, open /etc/rc.conf as the root or sudo user:

  • sudo vim /etc/rc.conf

In the file, locate the lines below:

/etc/rc.conf
. . .
# DigitalOcean Dynamic Configuration lines and the immediate line below it,
# are removed each boot.
. . .

Directly above those lines, add the ifconfig_vnet1 line shown below, being sure to substitute the PRIVATE IP located on the Droplet's Networking page for Droplet_Private_IP:

/etc/rc.conf

. . .
ifconfig_vtnet1="inet Droplet_Private_IP netmask 255.255.0.0"

# DigitalOcean Dynamic Configuration lines and the immediate line below it,
# are removed each boot.
. . .

When we're done, we'll press ESC, type :x and press ENTER to save and exit the file.

Finally, restart networking with /etc/netstart, which will verify the syntax of the changes and apply them:

  • /etc/netstart

When the interface has been successfully enabled, the output should contain a vtnet1 section with the private IP address. Next, we'll proceed to the final step to verify the configuration.

Step Four — Verifying the Configuration

The output of ifconfig lets use see that we've successfully enabled the new interface:

  • sudo ifconfig

The output should contain a section for the interface that includes the private IP address and shows the status as UP and RUNNING, highlighted in the examples below:

Linux Distros: Ubuntu, Debian, CentOS, Fedora
On Linux distributions, we're looking for the eth1 section:

Output
eth1: flags=4163< UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.0.2.10 netmask 255.255.0.0 broadcast 192.0.2.255 inet6 xxxx::xxxx:xxxx:xxxx:xxx prefixlen 64 scopeid 0x20<link> ether 12:34:46:78:98:10 txqueuelen 1000 (Ethernet) RX packets 258 bytes 13872 (13.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 146 bytes 10640 (10.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

FreeBSD
On FreeBSD, we're looking for the vtnet1 section:

Output
vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 12:34:46:78:98:10 hwaddr 12:34:46:78:98:10 inet6 xxxx::xxxx:xxxx:xxxx:xxx%vtnet1 prefixlen 64 scopeid 0x2 inet 192.0.2.10 netmask 0xffff0000 broadcast 192.0.2.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active

To fully test that the network is configured, you will need to test communication between two Droplets on the private network. To do this, SSH to the first Droplet, then issue the ping command to the private IP address of a second Droplet on the private network:

  • ping Second_Droplet_Private_IP
Output
PING Second_Droplet_Private_IP (Second_Droplet_Private_IP) 56(84) bytes of data. 64 bytes from Second_Droplet_Private_IP: icmp_seq=1 ttl=64 time=3.80 ms 64 bytes from Second_Droplet_Private_IP): icmp_seq=2 ttl=64 time=0.707 ms 64 bytes from Second_Droplet_Private_IP): icmp_seq=3 ttl=64 time=0.517 ms

Output similar to the example above confirms the private networking is properly configured and working as expected.

Next Steps

In this article we showed how to manually enable private networking on Droplets on Ubuntu 16.04, Ubuntu 14.04, Debian, Centos, Fedora, and FreeBSD.

42 Comments

Creative Commons License