A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage.
If you enabled VPC networking on your Droplet before 1 October 2020 but didn’t configure the Droplet’s private network interface, use this guide to configure the network interface necessary for the Droplet to communicate with the region’s default VPC network.
You can also migrate the Droplet into any specified VPC network using a snapshot. We do not support VPC networks between Droplets in different datacenter regions.
To enable VPC networking on an existing Droplet, you need to power the Droplet down. This safest way to do this is by logging into your Droplet and using the shutdown
command with the h
flag:
sudo shutdown -h now
The -h
flag halts the system completely.
Once the Droplet is off, the next step is to enable private networking from the control panel. This gives you the address information you need to then configure it on the Droplet itself.
On the Droplets page, click the name of the Droplet, then click Networking in the left menu. In the Private network section, click the Enable button.
The page updates automatically and lists the private network information assigned to the Droplet. When you’re done, click the OFF button to switch the Droplet back ON.
The Droplet is booted when the switch turns green and the label says ON.
If your Droplet is apart of a VPC network but its private network interface hasn’t been enabled to communicate with the VPC network, you need to manually configure the private network interface on the Droplet itself. How you do this depends on which Linux distribution your Droplet is running.
On Ubuntu 18.04, you need to use Netplan to define the network interface using the Droplet’s private IP address and the MAC address for the Ethernet interface. You can learn more about Netplan and the files in /etc/netplan
in this section of What’s New in Ubuntu 18.04.
To get the MAC address, use lshw
to list the details of your server’s network-class hardware.
lshw -class network
Locate *-network:1
in the output. The serial
value is the MAC address you need.
. . .
*-network:1
description: Ethernet controller
. . .
*-virtio1 DISABLED
description: Ethernet interface
physical id: 0
bus info: virtio@1
logical name: ens4
serial: ex:am:pl:e3:65:13
. . .
At the bottom of /etc/netplan/50-cloud-init.yaml
, add the following stanza.
eth1:
addresses:
- 198.51.100.0/16
match:
macaddress: ex:am:pl:e3:65:13
set-name: eth1
Replace the addresses
value with the private IP address of the Droplet followed by the /16
subnet prefix. Replace the macaddress
value with the MAC address you found with lshw
.
Errors in your syntax can disrupt your networking and force you to use the Droplet console to restore connectivity, so check the file’s syntax before you apply the changes.
sudo netplan apply --debug
If the file has syntax errors, this command returns the errors and doesn’t apply the changes. When the file’s syntax is correct, the command returns no output and applies the changes.
Reboot the Droplet one more time for the changes to take effect, and to verify that the configuration remains after the system is restarted:
sudo reboot
On Ubuntu 16.04, you need to disable consistent network device naming to make sure public traffic uses the eth0
interface and private traffic uses the eth1
interface.
Open /etc/default/grub.d/50-cloudimg-settings.cfg
and edit the GRUB_CMDLINE_LINUX_DEFAULT
setting. At the end of the line, within the quotations, add net.ifnames=0
:
GRUB_CMDLINE_LINUX_DEFAULT="console=tty1 console=ttyS0 net.ifnames=0"
Save and close the file, then update GRUB with the new settings and reboot the Droplet.
sudo update-grub
sudo reboot
After the Droplet finishes rebooting, reconnect with SSH.
Open the network configuration file /etc/network/interfaces.d/50-cloud-init.cfg
in a text editor and add a new section at the bottom of the file to define the interface for the VPC network. Substitute the IP address (198.51.100.0
) in the address
field for the Droplet’s private IP address located in the Private Network section of the Droplet’s Networking tab.
auto eth1
iface eth1 inet static
address 198.51.100.0
netmask 255.255.0.0
Save and close the file then restart networking, which checks the configuration for errors and load the network interface.
sudo systemctl restart networking
When the command is successful, it doesn’t return output.
To add a private network interface to Ubuntu 14.04 and Debian distributions, open the network configuration file /etc/network/interfaces
in a text editor. Add a new section at the bottom of the file to define the interface for the VPC network. Substitute the IP address (198.51.100.0
) in the address
field for the Droplet’s private IP address located in the Private Network section of the Droplet’s Networking tab.
auto eth1
iface eth1 inet static
address 198.51.100.0
netmask 255.255.0.0
Save and close the file, then use ifup
to bring up the interface.
ifup eth1
When the command is successful, it doesn’t return output. If run more than once, the command returns ifup: interface eth1 already configured
.
On CentOS and Fedora, get the hardware address for eth1
with ifconfig
.
sudo ifconfig -a
On CentOS 7 and Fedora, use the ether
value in the eth1
section:
eth1: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 12:23:34:45:56:67 txqueuelen 1000 (Ethernet)
On CentOS 6, use the value of HWaddr
in the eth1
section:
eth1 Link encap:Ethernet HWaddr 12:23:34:45:56:67
BROADCAST MULTICAST MTU:1500 Metric:1
Next, create and open a new file in the interface configuration directory called /etc/sysconfig/network-scripts/ifcfg-eth1
.
Enter the content below, substituting the values for the specific Droplet. HWADDR
is the value from the ifconfig
output, and the IPADDR
value is displayed on the Droplet’s Networking tab in the Private network section.
DEVICE="eth1"
HWADDR=info_from_ifconfig
IPADDR=198.51.100.0
BOOTPROTO=none
ONBOOT="yes"
NETMASK=255.255.0.0
NM_CONTROLLED="yes"
IPV6INIT="no"
DEFROUTE="no"
Save and close the file, then use ifup
to bring up the new network interface.
ifup eth1
When the command is successful, it doesn’t return output.
On FreeBSD, you need to edit /etc/rc.conf
.
In this file, locate the line which reads # DigitalOcean Dynamic Configuration lines and the immediate line below it, are removed each boot
. Directly above that comment, add the following line, substituting in the private IP from on the Droplet’s Networking tab in the Private network section. The file should look like this:
ifconfig_vtnet1="inet 198.51.100.0 netmask 255.255.0.0"
# DigitalOcean Dynamic Configuration lines and the immediate line below it,
# are removed each boot.
Save and close the file, then restart networking, which verifies the syntax of the changes and applies them.
sudo /etc/netstart
When the interface is successfully enabled, the output contains a vtnet1
section with the private IP address.
You can verify the private network configuration with ifconfig
.
sudo ifconfig
The output should contain a section for the interface that includes the private IP address and shows the status as UP
and RUNNING
.
On Linux distributions (like Ubuntu, Debian, CentOS, and Fedora), look for the eth1
section:
eth1: flags=4163< UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 198.51.100.0 netmask 255.255.0.0 broadcast 192.0.2.255
inet6 xxxx::xxxx:xxxx:xxxx:xxx prefixlen 64 scopeid 0x20<link>
ether 12:34:46:78:98:10 txqueuelen 1000 (Ethernet)
RX packets 258 bytes 13872 (13.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 146 bytes 10640 (10.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
On FreeBSD, look for the vtnet1
section:
vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether 12:34:46:78:98:10
hwaddr 12:34:46:78:98:10
inet6 xxxx::xxxx:xxxx:xxxx:xxx%vtnet1 prefixlen 64 scopeid 0x2
inet 198.51.100.0 netmask 0xffff0000 broadcast 192.0.2.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: active
To fully test that the network is configured, try pinging the newly-enabled Droplet from a second Droplet on the VPC network.