Sr Technical Content Strategist and Team Lead

A Private Droplet has no public network interface, so you can’t SSH to it directly. The standard way in is a bastion host (jump host): a small Droplet with a public IP, in the same VPC, that you connect through. To keep that path tight, you put a Cloud Firewall on each Droplet, one that only lets you reach the bastion, and one that only lets the bastion reach the Private Droplet.
This tutorial walks through all four pieces from scratch:
Once that’s done, you connect using the steps in How to Connect to a Private Droplet.
A Private Droplet has a single private network interface (eth0) and no public IPv4. A traditional Droplet has two interfaces, public eth0 and private eth1. The difference is structural, not a setting you toggle after the fact:
The design principle to internalize is that private stays private. There is no supported path to attach a public IP, Reserved IP, or BYOIP address later. That permanence is the feature. It makes the isolation claim defensible to an auditor.
Here is a diagram of the Private Droplet access path for ease of understanding:

The pattern is a private compute tier with three controlled edges: a bastion for human SSH access, a NAT gateway for outbound package/image pulls, and a load balancer for client ingress. The model server itself touches none of the public internet directly.

A Private Droplet’s defining property is that it has no public network interface, it cannot be reached from the internet directly, and there is no supported way to add a public IP to it later. That isolation is the reason to choose one, and also the source of every tradeoff below.
Good fits:
When a Private Droplet is the wrong tool:
Consequences to plan for:
doctl installed and authenticated (doctl auth init). Upgrade doctl if --enable-public-networking is missing from doctl compute droplet create --help.A Private Droplet is created by turning public networking off at creation time. This is permanent, you can’t add public networking later, and you can’t convert an existing Droplet into a Private Droplet.
Create it with doctl, placing it in your chosen VPC:
doctl compute droplet create private-app-01 \
--region sfo3 \
--size s-1vcpu-1gb \
--image ubuntu-24-04-x64 \
--vpc-uuid <your-vpc-uuid> \
--ssh-keys <your-ssh-key-fingerprint> \
--enable-public-networking=false
The --enable-public-networking=false flag is what makes the Droplet private (equivalent to "public_networking": false in the API).
After it’s created, record two values you’ll need later:
doctl compute droplet list --format ID,Name,PublicIPv4,PrivateIPv4.interfaces/private/0/ipv4/address. (A Private Droplet has only a VPC IP, no public IP.)You can also create the Private Droplet using the Control Panel.
This will create a Private Droplet in the same VPC and region as the one you selected.

Next, you will create the bastion host.
The bastion is an ordinary Droplet with a public IP. The only hard requirement is that it sits in the same VPC and region as the Private Droplet, so it can reach it over the private network.
Using the Control Panel:
bastion-Host1, and click Create Droplet.
When it finishes, note the bastion’s public IP and its Droplet ID (visible in the Droplet list).
doctlequivalent:doctl compute droplet create bastion-01 --region sfo3 --size s-1vcpu-1gb --image ubuntu-24-04-x64 --vpc-uuid <same-vpc-uuid> --ssh-keys <your-ssh-key-fingerprint>— note there’s no--enable-public-networking=falsehere, because the bastion needs its public IP.
DigitalOcean Cloud Firewalls deny everything that isn’t explicitly allowed: if there are no inbound rules, no inbound traffic is permitted. They are also stateful, so return traffic for an allowed connection is permitted automatically — you don’t need a matching outbound rule for SSH replies. (Cloud Firewalls are separate from any on-Droplet firewall like ufw.)
For the bastion, the only inbound you want is SSH from your own IP.
Using the Control Panel:
bastion-ssh.203.0.113.10/32). Remove the open defaults.bastion-Host1).Note: On the bastion’s firewall (Firewall A): enter your own personal computer’s public IP. This is the only place your laptop’s IP goes. You’re the one connecting to the bastion from the outside, so the bastion should accept SSH only from you.
If you are using a mac you can use the below command to get your public/external IP address:
curl ifconfig.me

doctl equivalent:
doctl compute firewall create \ --name "bastion-ssh" \ --inbound-rules "protocol:tcp,ports:22,address:<your-ip>/32" \ --outbound-rules "protocol:tcp,ports:all,address:0.0.0.0/0 protocol:udp,ports:all,address:0.0.0.0/0 protocol:icmp,address:0.0.0.0/0" \ --droplet-ids <bastion-droplet-id>
For the Private Droplet, the only inbound you want is SSH from the bastion.
Using the Control Panel:
private-droplet-ssh.bastion-01) and select it. This restricts SSH to traffic coming from the bastion over the VPC.private-app-01).
Both Droplets now exist, they share a VPC, and the firewalls allow exactly one path in: your machine to the bastion, and the bastion to the Private Droplet. From here, follow the SSH steps in the official guide:
You can follow the steps in How to Connect to a Private Droplet to connect to the Private Droplet.
In short, you’ll use ssh -J (ProxyJump) to hop through the bastion to the Private Droplet’s VPC IP. Remember the default login user on most DigitalOcean images is root.
ssh -J <bastion-user>@<bastion-public-ip> <private-user>@<private-vpc-ip>
For example:
ssh -J root@123.456.789.012 root@10.116.0.2
You can find the Private Droplet’s VPC IP in the Control Panel under Networking > VPC.

And thats it! You have successfully created a Private Droplet and a bastion host with Cloud Firewalls. You can now connect to the Private Droplet using the bastion host as a jump host.
Make sure the following are true:
ufw, firewalld); if you run both, make sure their rules don’t conflict.Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Anish is a Sr Technical Content Strategist and Team Lead at DigitalOcean with 7+ years of experience as an SRE at Nutanix and Cloud consultant at AMEX, and technical writing at DOCN, and shipping deep infra and AI inference tutorials that help developers deploy production‑ready applications on DigitalOcean.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Scale up as you grow — whether you're running one virtual machine or ten thousand.

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.
