How to Enable Private Networking on Existing Droplets

You can enable private networking on a Droplet when you create it or after creation.

If you enable private networking when a Droplet is created, all the related configuration will be done for you. We recommend this option because it’s faster and simpler, and there’s no chance to make manual configuration errors.

You can still enable private networking on an existing Droplet. To do so, you’ll need to power down the Droplet, enable private networking in the Control Panel, and then configure the interface on the Droplet itself.

Enable Private Networking During Droplet Creation

To create a Droplet with private networking enabled, open the Create menu from your DigitalOcean Control Panel and select Droplets.

Screenshot of Droplet on the Create menu

This takes you to the Create Droplet page. In the Additional Options section, check Private networking.

When you’ve selected all your options, click the Create button at the bottom.

Once the Droplet is created, its private IP address is displayed in the header. You can also click the Droplet’s name, then visit its Networking link in the side navigation to view more private network information.

At this point, you’re ready to use your new address.

Enable Private Networking on Existing Droplets

Your Droplet needs to be powered down to enable private networking. This safest way to do this is by logging into your Droplet and using the shutdown command with the h flag:

sudo shutdown -h now

Once the Droplet is off, the next step is to enable private networking from the Control Panel. This will give you the address information you need to then configure it on the Droplet itself.

On the Droplets page, click the name of the Droplet, then select Networking from the side navigation. In the Private network section, click the Enable button.

Enable private networking button

The page will update automatically and list the private network information assigned to the Droplet. When you’re done, click the OFF button to switch the Droplet back ON.

You’ll know the Droplet is booted when the switch turns green and the label says ON.

When you enable private networking after the Droplet is created, you need to manually configure the private networking on the Droplet itself. How you do this depends on which Linux distribution your Droplet is running.

Manually Configure the Private Network

Ubuntu 18.04

Once private networking is enabled and the Droplet is powered back on, the next step is to configure it. To do that, you’ll use Netplan to define the network interface using the Droplet’s private IP address and the MAC address for the Ethernet interface.

To get the MAC address, use lshw to list the details of your server’s network-class hardware.

lshw -class network

Locate *-network:1 in the output. The serial value is the MAC address you need.

 . . .
 *-network:1
       description: Ethernet controller
       product: Virtio network device
       vendor: Red Hat, Inc
       physical id: 4
       bus info: pci@0000:00:04.0
       version: 00
       width: 32 bits
       clock: 33MHz
       capabilities: msix bus_master cap_list rom
       configuration: driver=virtio-pci latency=0
       resources: irq:11 ioport:c0e0(size=32) memory:fd093000-fd093fff memory:fd040000-fd07ffff
     *-virtio1 DISABLED
          description: Ethernet interface
          physical id: 0
          bus info: virtio@1
          logical name: ens4
          serial: ex:am:pl:e3:65:13
. . .

Copy the MAC address, then open the /etc/netplan/50-cloud-init.yaml file for editing. You can learn more about Netplan and the files in /etc/netplan in this section of What’s New in Ubuntu 18.04.

sudo nano /etc/netplan/50-cloud-init.yaml

At the bottom of the file, add the following stanza. Replace the addresses value with the private IP address visible in the DigitalOcean Control Panel, and replace the macaddress value with the MAC address you found with lshw.

        eth1:
            addresses:
            - 198.51.100.0/16
            match:
                macaddress: ex:am:pl:e3:65:13
            set-name: eth1

Save and close the file.

Errors in your syntax can disrupt your networking and force you to use the DigitalOcean Control Panel console to restore connectivity, so check the file’s syntax before you apply the changes.

sudo netplan apply --debug

If there’s an error in the file, it will be printed to the screen. Once the syntax is correct, the command will return you to the prompt with no output and you can apply your changes:

sudo netplan apply

Ubuntu 16.04

First, you need to disable consistent network device naming. This ensures that the eth0 interface will be used for public traffic and the eth1 interface will be used for private traffic.

Open the 50-cloudimg-settings.cfg file with sudo privileges.

sudo nano /etc/default/grub.d/50-cloudimg-settings.cfg

Edit the GRUB_CMDLINE_LINUX_DEFAULT setting. At the end of the line, within the quotations, we’ll add net.ifnames=0. The edited line should look like this:

. . .
GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0 net.ifnames=0"
. . .

Save and close the file, then update GRUB with the new settings and reboot the Droplet.

sudo update-grub
sudo reboot

After the Droplet finishes rebooting, reconnect with SSH and open the network configuration file, 50-cloud-init.cfg.

sudo nano /etc/network/interfaces.d/50-cloud-init.cfg

At the bottom of the file, add a new section to define the interface for the private network. Substitute in the private IP from on the Droplet’s Networking tab in the Private network section, followed by the netmask’s value in slash notation.

auto eth1
iface eth1 inet static
        address 198.51.100.0/16

Save and close the file then restart networking, which will check the configuration for errors and load the network interface.

sudo systemctl restart networking

When the command successful, it doesn’t return output.

Ubuntu 14.04 & Debian

First, open the network interfaces configuration file.

sudo nano /etc/network/interfaces

At the bottom of the file, add a new section to define the interface for the private network. Substitute in the private IP from on the Droplet’s Networking tab in the Private network section, followed by the netmask’s value in slash notation.

auto eth1
iface eth1 inet static
        address 198.51.100.0
        netmask 255.255.0.0		

Save and close the file, then use ifup to bring up the interface.

sudo ifup eth1

When the command successful, it doesn’t return output.

CentOS & Fedora

First, the hardware address for eth1 with ifconfig.

sudo ifconfig -a

The output will vary depending on the distribution.

On CentOS 7 and Fedora, use the value of ether in the eth1 section:

eth1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 12:23:34:45:56:67  txqueuelen 1000  (Ethernet)

On CentOS 6, use the value of HWaddr in the eth1 section:

eth1      Link encap:Ethernet  HWaddr 12:23:34:45:56:67
          BROADCAST MULTICAST  MTU:1500  Metric:1

Next, create a new file in the interface configuration directory.

sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1

Enter the content below, substituting the values for the specific Droplet. HWADDR is the value from the ifconfig output, and the IPADDR value is displayed on the Droplet’s Networking tab in the Private network section.

DEVICE="eth1"
HWADDR=info_from_ifconfig
IPADDR=198.51.100.0
BOOTPROTO=none
ONBOOT="yes"
NETMASK=255.255.0.0
NM_CONTROLLED="yes"
IPV6INIT="no"
DEFROUTE="no"

Save and close the file, then use ifup to bring up the new network interface.

ifup eth1

When the command successful, it doesn’t return output.

FreeBSD

Open /etc/rc.conf as the root or sudo user.

sudo vim /etc/rc.conf

Look for the line

In the file, locate the line which reads # DigitalOcean Dynamic Configuration lines and the immediate line below it, are removed each boot. Directly above that comment, add the following line, substituting in the private IP from on the Droplet’s Networking tab in the Private network section. The file should look like this:

ifconfig_vtnet1="inet 198.51.100.0 netmask 255.255.0.0"

# DigitalOcean Dynamic Configuration lines and the immediate line below it,
# are removed each boot.
. . .

Save and close the file, then restart networking, which will verify the syntax of the changes and apply them.

/etc/netstart

When the interface has been successfully enabled, the output should contain a vtnet1 section with the private IP address.

Verify the Configuration

You can verify the configuration with ifconfig.

sudo ifconfig

The output should contain a section for the interface that includes the private IP address and shows the status as UP and RUNNING.

On Linux distributions (like Ubuntu, Debian, CentOS, and Fedora), look for the eth1 section:

eth1: flags=4163< UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 198.51.100.0  netmask 255.255.0.0  broadcast 192.0.2.255
        inet6 xxxx::xxxx:xxxx:xxxx:xxx  prefixlen 64  scopeid 0x20<link>
        ether 12:34:46:78:98:10  txqueuelen 1000  (Ethernet)
        RX packets 258  bytes 13872 (13.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 146  bytes 10640 (10.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

On FreeBSD, look for the vtnet1 section:

vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 12:34:46:78:98:10
        hwaddr 12:34:46:78:98:10
        inet6 xxxx::xxxx:xxxx:xxxx:xxx%vtnet1 prefixlen 64 scopeid 0x2
        inet 198.51.100.0 netmask 0xffff0000 broadcast 192.0.2.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active

To fully test that the network is configured, try pinging the newly-enabled Droplet from a second Droplet on the private network.