How to Enable Private Networking on Droplets

Private networking creates a second network interface for Droplets that can only be accessed by the other Droplets and DigitalOcean Load Balancers in the same account or team. The private network is unreachable from the internet and traffic on it doesn't count against bandwidth usage.

You can enable private networking on a Droplet when you create it or after creation.

If you enable private networking during Droplet creation, all the related configuration is done automatically. We recommend this option because it's faster and avoids manual configuration errors.

You can still enable private networking on an existing Droplet by manually configuring the interface.

Note
We do not support private networking between Droplets in different datacenter regions.

Enable Private Networking During Droplet Creation

To create a Droplet with private networking enabled, open the Create menu from your DigitalOcean Control Panel and select Droplets.

The Droplet create page

This takes you to the Create Droplet page. In the Additional Options section, check Private networking. When you've selected all your options, click the Create button at the bottom.

Once the Droplet is created, its private IP address is displayed in the header. You can also click the Droplet's name, then click Networking in the side navigation to view more private network information.

At this point, you're ready to use your new address.

Enable Private Networking on Existing Droplets

Your Droplet needs to be powered down to enable private networking. This safest way to do this is by logging into your Droplet and using the shutdown command with the h flag:

sudo shutdown -h now

Once the Droplet is off, the next step is to enable private networking from the control panel. This gives you the address information you need to then configure it on the Droplet itself.

On the Droplets page, click the name of the Droplet, then select Networking from the side navigation. In the Private network section, click the Enable button.

The Droplet Networking page with the private networking enable button highlighted

The page updates automatically and lists the private network information assigned to the Droplet. When you're done, click the OFF button to switch the Droplet back ON.

Powering on the Droplet by clicking the On/Off switch in the control panel

You'll know the Droplet is booted when the switch turns green and the label says ON.

Network Configuration by Operating System

When you enable private networking after the Droplet is created, you need to manually configure the private networking on the Droplet itself. How you do this depends on which Linux distribution your Droplet is running.

On Ubuntu 18.04, you need to use Netplan to define the network interface using the Droplet's private IP address and the MAC address for the Ethernet interface. You can learn more about Netplan and the files in /etc/netplan in this section of What's New in Ubuntu 18.04.

To get the MAC address, use lshw to list the details of your server's network-class hardware.

lshw -class network

Locate *-network:1 in the output. The serial value is the MAC address you need.

  
    
. . .
*-network:1
    description: Ethernet controller
    . . .
    *-virtio1 DISABLED
        description: Ethernet interface
        physical id: 0
        bus info: virtio@1
        logical name: ens4
        serial: ex:am:pl:e3:65:13
. . .

  

At the bottom of /etc/netplan/50-cloud-init.yaml, add the following stanza.

  
    
        eth1:
            addresses:
            - 198.51.100.0/16
            match:
                macaddress: ex:am:pl:e3:65:13
            set-name: eth1

  

Replace the addresses value with the private IP address of the Droplet followed by the /16 subnet prefix. Replace the macaddress value with the MAC address you found with lshw.

Errors in your syntax can disrupt your networking and force you to use the Droplet console to restore connectivity, so check the file's syntax before you apply the changes.

sudo netplan apply --debug

If there's an error in the file, it will be printed to the screen. When the syntax is correct, the command will return you to the prompt with no output and apply the changes.

Reboot the server one more time for the changes to take effect, and to verify that the configuration remains after the system is restarted:

sudo reboot

On Ubuntu 16.04, you need to disable consistent network device naming. This ensures that the eth0 interface is used for public traffic and the eth1 interface is used for private traffic.

Open /etc/default/grub.d/50-cloudimg-settings.cfg and edit the GRUB_CMDLINE_LINUX_DEFAULT setting. At the end of the line, within the quotations, add net.ifnames=0:

  
    
GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0 net.ifnames=0"

  

Save and close the file, then update GRUB with the new settings and reboot the Droplet.

sudo update-grub
sudo reboot

After the Droplet finishes rebooting, reconnect with SSH. In the network configuration file /etc/network/interfaces.d/50-cloud-init.cfg, add a new section at the bottom to define the interface for the private network. Substitute in the private IP from on the Droplet's Networking tab in the Private network section, followed by the netmask's value in CIDR notation.

  
    
auto eth1
iface eth1 inet static
        address 198.51.100.0/16

  

Save and close the file then restart networking, which checks the configuration for errors and load the network interface.

sudo systemctl restart networking

When the command is successful, it doesn't return output.

Warning
Standard support for Ubuntu 14.04 LTS ended in April 2019. Because this distribution has reached end of life, we recommend migrating to a newer release so your Droplets remain supported and secure.

On Debian and Ubuntu 14.04, you need to edit the network interfaces configuration file, /etc/network/interfaces.

At the bottom of the file, add a new section to define the interface for the private network. Substitute in the private IP from on the Droplet's Networking tab in the Private network section, followed by the netmask's value in slash notation.

  
    
auto eth1
iface eth1 inet static
        address 198.51.100.0/16		

  

Save and close the file, then use ifup to bring up the interface.

sudo ifup eth1

When the command is successful, it doesn't return output.

On CentOS and Fedora, get the hardware address for eth1 with ifconfig.

sudo ifconfig -a

On CentOS 7 and Fedora, use the ether value in the eth1 section:

eth1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 12:23:34:45:56:67  txqueuelen 1000  (Ethernet)

On CentOS 6, use the value of HWaddr in the eth1 section:

eth1      Link encap:Ethernet  HWaddr 12:23:34:45:56:67
        BROADCAST MULTICAST  MTU:1500  Metric:1

Next, create and open a new file in the interface configuration directory called /etc/sysconfig/network-scripts/ifcfg-eth1.

Enter the content below, substituting the values for the specific Droplet. HWADDR is the value from the ifconfig output, and the IPADDR value is displayed on the Droplet's Networking tab in the Private network section.

  
    
DEVICE="eth1"
HWADDR=info_from_ifconfig
IPADDR=198.51.100.0
BOOTPROTO=none
ONBOOT="yes"
NETMASK=255.255.0.0
NM_CONTROLLED="yes"
IPV6INIT="no"
DEFROUTE="no"

  

Save and close the file, then use ifup to bring up the new network interface.

ifup eth1

When the command is successful, it doesn't return output.

On FreeBSD, you need to edit /etc/rc.conf.

In this file, locate the line which reads # DigitalOcean Dynamic Configuration lines and the immediate line below it, are removed each boot. Directly above that comment, add the following line, substituting in the private IP from on the Droplet's Networking tab in the Private network section. The file should look like this:

  
    
ifconfig_vtnet1="inet 198.51.100.0 netmask 255.255.0.0"

# DigitalOcean Dynamic Configuration lines and the immediate line below it,
# are removed each boot.

  

Save and close the file, then restart networking, which verifies the syntax of the changes and applies them.

sudo /etc/netstart

When the interface is successfully enabled, the output contains a vtnet1 section with the private IP address.

Verify the Configuration

You can verify the private network configuration with ifconfig.

sudo ifconfig

The output should contain a section for the interface that includes the private IP address and shows the status as UP and RUNNING.

On Linux distributions (like Ubuntu, Debian, CentOS, and Fedora), look for the eth1 section:

  
    
eth1: flags=4163< UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 198.51.100.0  netmask 255.255.0.0  broadcast 192.0.2.255
        inet6 xxxx::xxxx:xxxx:xxxx:xxx  prefixlen 64  scopeid 0x20
        ether 12:34:46:78:98:10  txqueuelen 1000  (Ethernet)
        RX packets 258  bytes 13872 (13.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 146  bytes 10640 (10.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

  

On FreeBSD, look for the vtnet1 section:

  
    
vtnet1: flags=8843 metric 0 mtu 1500
        options=6c07bb
        ether 12:34:46:78:98:10
        hwaddr 12:34:46:78:98:10
        inet6 xxxx::xxxx:xxxx:xxxx:xxx%vtnet1 prefixlen 64 scopeid 0x2
        inet 198.51.100.0 netmask 0xffff0000 broadcast 192.0.2.255
        nd6 options=21
        media: Ethernet 10Gbase-T 
        status: active

  

To fully test that the network is configured, try pinging the newly-enabled Droplet from a second Droplet on the private network.