During July 2018, communication over DigitalOcean Private Network IPs will be isolated within the account or team where they were created. For most users, this security enhancement requires no action. All Droplets that were provisioned with Private Networking will continue to be able to communicate with the other Droplets within the same account or team.
However, if you have Droplets that communicate over private IPs with Droplets that belong to a different team or account, they will no longer be able to reach each other through the private IPs.
Combining Private Networking isolation with Cloud Firewalls, Let’s Encrypt SSL Certificates for Load Balancers, SSH keys, and 2FA, provides the security you need to build scalable, robust, and secure production environments.
Once this change is in place, your Droplets won’t be able to reach Droplets outside your account over the Private Network.
For example, let’s say a user manages 2 accounts, Acme Inc and Beta Inc, and each has 2 Droplets in the same region. Acme uses private IPs
192.0.2.101. Beta uses
192.0.2.121. Acme’s Droplet
192.0.2.100 (running a PHP application) currently reaches out to
192.0.2.120 (a MySQL database on Beta’s account) over the private network.
Since these two Droplets are owned by different accounts, once this improvement is in place, they won’t be able to reach each other over the private network: Acme-owned Droplets won’t be able to access Beta’s private IP addresses and vice-versa.
This user has a few option to adjust their deployment:
They can move the MySQL Droplet from the Beta account to the Acme account. This can be achieved with Droplet Snapshots or with your favorite config management tool.
They can create a new Droplet under the Acme account for MySQL and replace the old IP address with the new one. Data transfers could be done by backup/restore of the database.
They could replace the private IPs with the public IPs of Beta Droplet they are trying to reach. This might require some application reconfiguration and we strongly suggest using some type of firewall, like our managed and free Cloud Firewall, to restrict connections between those two Droplets. In this case, even though the connection is done over the public IP, it doesn’t mean that the data will leave our data centers. The traffic will never leave our region border router.
Similar to the previous solution but recommended for those looking for extra security, they could setup a VPN between both accounts, creating a virtual private network between them. This would encapsulate the traffic and make sure it’s encrypted end-to-end. We have several tutorials on the subject.
Private network communication will be restricted to resources inside a single account, increasing its security.
We have changed dates a few times, but we will begin to roll out the changes on July 10. As we continue, we will notify users in the affected data centers by email and on the dashboard before enabling the isolation.
No, nothing will change for you. No action is required.
No, since it only affects Private Networks and they are restricted to a single region, this won’t have any effect on cross region communication.
No, traffic over private networks is free and won’t count against your bandwidth billing transfer.