How to Enable VPC Networking on Existing Droplets

A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks provide a more secure connection between resources because the network is inaccessible from the public internet and other VPC networks. Traffic within a VPC network doesn't count against bandwidth usage.

All Droplets, Kubernetes clusters, databases, and load balancers created after 7 April 2020 are automatically added to a VPC network (either the account's default network or a user-created network).

You can still use VPC networks with Droplets created before this date. To do so, you either need to manually configure VPC (which adds the Droplet to the default VPC network) or migrate the Droplet using a snapshot (which add it to any VPC network in your account).

Note
We do not support VPC networks between Droplets in different datacenter regions.

Enable VPC Networking on Existing Droplets

To enable VPC networking on an existing Droplet, you need to power the Droplet down. This safest way to do this is by logging into your Droplet and using the shutdown command with the h flag:

sudo shutdown -h now

The -h flag halts the system completely.

Once the Droplet is off, the next step is to enable private networking from the control panel. This gives you the address information you need to then configure it on the Droplet itself.

On the Droplets page, click the name of the Droplet, then click Networking in the left menu. In the Private network section, click the Enable button.

The Droplet Networking page with the private networking enable button highlighted

The page updates automatically and lists the private network information assigned to the Droplet. When you're done, click the OFF button to switch the Droplet back ON.

Powering on the Droplet by clicking the On/Off switch in the control panel

The Droplet is booted when the switch turns green and the label says ON.

Network Configuration by Operating System

When you enable VPC on a Droplet after it is created, you need to manually configure the private networking interface on the Droplet itself. How you do this depends on which Linux distribution your Droplet is running.

On Ubuntu 18.04, you need to use Netplan to define the network interface using the Droplet's private IP address and the MAC address for the Ethernet interface. You can learn more about Netplan and the files in /etc/netplan in this section of What's New in Ubuntu 18.04.

To get the MAC address, use lshw to list the details of your server's network-class hardware.

lshw -class network

Locate *-network:1 in the output. The serial value is the MAC address you need.

    
        
. . .
*-network:1
    description: Ethernet controller
    . . .
    *-virtio1 DISABLED
        description: Ethernet interface
        physical id: 0
        bus info: virtio@1
        logical name: ens4
        serial: ex:am:pl:e3:65:13
. . .

    

At the bottom of /etc/netplan/50-cloud-init.yaml, add the following stanza.

    
        
        eth1:
            addresses:
            - 198.51.100.0/16
            match:
                macaddress: ex:am:pl:e3:65:13
            set-name: eth1

    

Replace the addresses value with the private IP address of the Droplet followed by the /16 subnet prefix. Replace the macaddress value with the MAC address you found with lshw.

Errors in your syntax can disrupt your networking and force you to use the Droplet console to restore connectivity, so check the file's syntax before you apply the changes.

sudo netplan apply --debug

If the file has syntax errors, this command returns the errors and doesn't apply the changes. When the file's syntax is correct, the command returns no output and applies the changes.

Reboot the Droplet one more time for the changes to take effect, and to verify that the configuration remains after the system is restarted:

sudo reboot

On Ubuntu 16.04, you need to disable consistent network device naming to make sure public traffic uses the eth0 interface and private traffic uses the eth1 interface.

Open /etc/default/grub.d/50-cloudimg-settings.cfg and edit the GRUB_CMDLINE_LINUX_DEFAULT setting. At the end of the line, within the quotations, add net.ifnames=0:

    
        
GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0 net.ifnames=0"

    

Save and close the file, then update GRUB with the new settings and reboot the Droplet.

sudo update-grub
sudo reboot

After the Droplet finishes rebooting, reconnect with SSH.

Open the network configuration file /etc/network/interfaces.d/50-cloud-init.cfg in a text editor and add a new section at the bottom of the file to define the interface for the private network. Substitute the IP address (198.51.100.0) in the address field for the Droplet's private IP address located in the Private Network section of the Droplet's Networking tab.

    
        
auto eth1
iface eth1 inet static
        address 198.51.100.0
        netmask 255.255.0.0

    

Save and close the file then restart networking, which checks the configuration for errors and load the network interface.

sudo systemctl restart networking

When the command is successful, it doesn't return output.

Warning
Standard support for Ubuntu 14.04 LTS ended in April 2019. Because this distribution has reached end of life, we recommend migrating to a newer release so your Droplets remain supported and secure.

To add a private network interface to Ubuntu 14.04 and Debian distributions, open the network configuration file /etc/network/interfaces in a text editor. Add a new section at the bottom of the file to define the interface for the private network. Substitute the IP address (198.51.100.0) in the address field for the Droplet's private IP address located in the Private Network section of the Droplet's Networking tab.

    
        
auto eth1
iface eth1 inet static
        address 198.51.100.0
        netmask 255.255.0.0

    

Save and close the file, then use ifup to bring up the interface.

ifup eth1

When the command is successful, it doesn't return output. If run more than once, the command returns ifup: interface eth1 already configured.

On CentOS and Fedora, get the hardware address for eth1 with ifconfig.

sudo ifconfig -a

On CentOS 7 and Fedora, use the ether value in the eth1 section:

eth1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 12:23:34:45:56:67  txqueuelen 1000  (Ethernet)

On CentOS 6, use the value of HWaddr in the eth1 section:

eth1      Link encap:Ethernet  HWaddr 12:23:34:45:56:67
        BROADCAST MULTICAST  MTU:1500  Metric:1

Next, create and open a new file in the interface configuration directory called /etc/sysconfig/network-scripts/ifcfg-eth1.

Enter the content below, substituting the values for the specific Droplet. HWADDR is the value from the ifconfig output, and the IPADDR value is displayed on the Droplet's Networking tab in the Private network section.

    
        
DEVICE="eth1"
HWADDR=info_from_ifconfig
IPADDR=198.51.100.0
BOOTPROTO=none
ONBOOT="yes"
NETMASK=255.255.0.0
NM_CONTROLLED="yes"
IPV6INIT="no"
DEFROUTE="no"

    

Save and close the file, then use ifup to bring up the new network interface.

ifup eth1

When the command is successful, it doesn't return output.

On FreeBSD, you need to edit /etc/rc.conf.

In this file, locate the line which reads # DigitalOcean Dynamic Configuration lines and the immediate line below it, are removed each boot. Directly above that comment, add the following line, substituting in the private IP from on the Droplet's Networking tab in the Private network section. The file should look like this:

    
        
ifconfig_vtnet1="inet 198.51.100.0 netmask 255.255.0.0"

# DigitalOcean Dynamic Configuration lines and the immediate line below it,
# are removed each boot.

    

Save and close the file, then restart networking, which verifies the syntax of the changes and applies them.

sudo /etc/netstart

When the interface is successfully enabled, the output contains a vtnet1 section with the private IP address.

Verify the Configuration

You can verify the private network configuration with ifconfig.

sudo ifconfig

The output should contain a section for the interface that includes the private IP address and shows the status as UP and RUNNING.

On Linux distributions (like Ubuntu, Debian, CentOS, and Fedora), look for the eth1 section:

    
        
eth1: flags=4163< UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 198.51.100.0  netmask 255.255.0.0  broadcast 192.0.2.255
        inet6 xxxx::xxxx:xxxx:xxxx:xxx  prefixlen 64  scopeid 0x20
        ether 12:34:46:78:98:10  txqueuelen 1000  (Ethernet)
        RX packets 258  bytes 13872 (13.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 146  bytes 10640 (10.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    

On FreeBSD, look for the vtnet1 section:

    
        
vtnet1: flags=8843 metric 0 mtu 1500
        options=6c07bb
        ether 12:34:46:78:98:10
        hwaddr 12:34:46:78:98:10
        inet6 xxxx::xxxx:xxxx:xxxx:xxx%vtnet1 prefixlen 64 scopeid 0x2
        inet 198.51.100.0 netmask 0xffff0000 broadcast 192.0.2.255
        nd6 options=21
        media: Ethernet 10Gbase-T 
        status: active

    

To fully test that the network is configured, try pinging the newly-enabled Droplet from a second Droplet on the private network.