Private Dropletspublic

Validated on 16 Mar 2026 • Last edited on 30 Mar 2026

DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.

Copy page as Markdown View page as Markdown

Private Droplets are Droplets with VPC-only networking and no direct public connectivity. They are designed to work with VPC products like VPC peering, VPC NAT gateway, and VPC private DNS without additional configuration.

Private Droplets provide:

  • VPC peering and VPC NAT gateway integration without additional configuration.
  • Automatic use of the private DNS resolver when you create a Private Droplet in a VPC with a NAT gateway.
  • Automatic peering support when you peer the VPC with another VPC.
  • Automatic outbound internet connectivity when the NAT gateway is configured as the default route for the VPC. This enables downloading artifacts like Docker images and files from Spaces buckets.

Key Differences

The following diagram shows the key differences between traditional and Private Droplets.

  flowchart LR
    Internet[(<img alt="global-data-centers icon" src="https://docs.digitalocean.com/images/icons/diagram/global-data-centers.0ae9dbf9cd223ee5dc3ad44d496d5f74d801c59f6c8a19cf0d3532200a374888.svg" class="mermaid-icon" />  Internet)]

    subgraph VPCA["<img alt="virtual-private-cloud icon" src="https://docs.digitalocean.com/images/icons/diagram/virtual-private-cloud.d6919bf7da788149f5b1a583f0e5317dbd2c9391799b6e83abfa252fa2252258.svg" class="mermaid-icon" />  VPC A 10.0.0.0/16"]
        direction TB
        V1["<img alt="standard-droplet icon" src="https://docs.digitalocean.com/images/icons/diagram/standard-droplet.2409fa281ef5c3436178f08a67fb78544ae1085a9e9554c602c00982c33c0480.svg" class="mermaid-icon" />  Traditional Droplet<br/>eth0: Public IPv4<br/>eth1: Private IPv4"]
        V2["<img alt="standard-droplet icon" src="https://docs.digitalocean.com/images/icons/diagram/standard-droplet.2409fa281ef5c3436178f08a67fb78544ae1085a9e9554c602c00982c33c0480.svg" class="mermaid-icon" />  Private Droplet<br/>eth0: Private IPv4 Only"]
        NAT[<img alt="load-balancers icon" src="https://docs.digitalocean.com/images/icons/diagram/load-balancers.1624ac0bbbc110a344dd677a12b6c9c5aa2aa9fa63c2aa61358b03eacf0bcc40.svg" class="mermaid-icon" />  NAT Gateway]
        VDNS[<img alt="DNS icon" src="https://docs.digitalocean.com/images/icons/diagram/DNS.eaec0145fbe47ae8b281a840282e4cedf91868e996a9831fc65fcbbde1385f2a.svg" class="mermaid-icon" />  VPC DNS Resolver]
    end

    subgraph VPCB["<img alt="virtual-private-cloud icon" src="https://docs.digitalocean.com/images/icons/diagram/virtual-private-cloud.d6919bf7da788149f5b1a583f0e5317dbd2c9391799b6e83abfa252fa2252258.svg" class="mermaid-icon" />  VPC B 10.1.0.0/16"]
        DropB[<img alt="standard-droplet icon" src="https://docs.digitalocean.com/images/icons/diagram/standard-droplet.2409fa281ef5c3436178f08a67fb78544ae1085a9e9554c602c00982c33c0480.svg" class="mermaid-icon" />  Droplet]
    end

    VPCA <-->|VPC Peering| VPCB
    V1 --> Internet
    V2 --> NAT --> Internet
    V2 --> VDNS

Traditional Droplets

  • Two network interfaces: public IPv4 (eth0) and private IPv4 (eth1).
  • Direct internet access through public interface or Reserved IP.
  • Can use public DNS resolvers or VPC-local DNS.

Private Droplets

  • Single private IPv4 interface (eth0).
  • Internet access only through VPC NAT gateway.
  • Uses VPC-local DNS resolver for improved performance.
  • No direct public ingress except from a regional or global load balancer.

Overview

Pricing

Private Droplets do not have additional costs beyond standard Droplet pricing.

Features

  • No direct public connectivity by default.
  • VPC-native networking that integrates automatically with VPC products.
  • Automatic private DNS resolution in VPCs with NAT gateways.
  • Support for VPC peering without additional configuration.

Availability

Private Droplets are available in all regions.

Feedback and Support

Private Droplets are in public preview. All customers can opt in from the Feature Preview page. Public previews receive full support. We expect but do not guarantee that public previews perform for production-level workloads.

Our terms of service govern your use of DigitalOcean and cover details of eligibility, content, use, payments and billing, and warranties.

Prerequisites

The example that follows requires access to the DigitalOcean API and curl.

  • Create a personal access token and save it for use with the API.
  • The curl command is installed by default on most operating systems. Refer to your operating system documentation to install the curl package if necessary.

How to Create a Private Droplet

Using the API

Send a POST request to the /v2/droplets endpoint, specifying the public_networking parameter:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{
    "name": "my-private-droplet",
    "region": "sfo3",
    "size": "s-1vcpu-1gb",
    "image": "ubuntu-24-04-x64",
    "ssh_keys": [
      "de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef"
    ],
    "monitoring": true,
    "with_droplet_agent": true,
    "public_networking": false
}' \
  "https://api.digitalocean.com/v2/droplets"

The API returns information about the newly created Private Droplet.

For details on the response format, see the Create a New Droplet API documentation.

Using doctl

How to Create a New Droplet Using the DigitalOcean CLI
  1. Install doctl, the official DigitalOcean CLI.
  2. Create a personal access token and save it for use with doctl.
  3. Use the token to grant doctl access to your DigitalOcean account. 
    doctl auth init
  4. Finally, run doctl compute droplet create. Basic usage looks like this, but you can read the usage docs for more details: 
    doctl compute droplet create <droplet-name>... [flags]
    The following example creates a Droplet named example-droplet with a two vCPUs, two GiB of RAM, and 20 GBs of disk space. The Droplet is created in the nyc1 region and is based on the ubuntu-20-04-x64 image. Additionally, the command uses the --user-data flag to run a Bash script the first time the Droplet boots up:

doctl compute droplet create example-droplet –size s-2vcpu-2gb –image ubuntu-20-04-x64 –region nyc1 –user-data $’#!/bin/bash\n touch /root/example.txt; sudo apt update;sudo snap install doctl'

Please note: In Windows Powershell, the example command would be the following instead:

```shell
doctl compute droplet create example-droplet --size s-2vcpu-2gb --image ubuntu-20-04-x64 --region nyc1  --user-data "#!/bin/bash`n touch /root/example.txt; sudo apt update;sudo snap install doctl"
```

Using Terraform

You can create Private Droplets with the DigitalOcean Terraform provider. See the digitalocean_droplet resource documentation for the available attributes.

Networking Differences from Traditional Droplets

Private Droplets have a single private network interface (eth0) instead of the two interfaces (eth0 public, eth1 private) used by traditional Droplets:

  • No public interface. The interfaces/public metadata path is absent. Use interfaces/private/0/ipv4/address to retrieve the Droplet’s IP address from the metadata API.
  • NAT gateway routing is automatic. When the VPC has a NAT gateway set as the default route, Private Droplets route outbound traffic through it without manual route configuration. You do not need the metadata route workaround (ip route add 169.254.169.254) described in Configure Droplets for NAT Gateway.
  • VPC peering routes are automatic. Private Droplets do not need manual peering route updates. See Update Peering Routes.
  • Load balancer backends. Private Droplets work as backends for regional HTTP load balancers, internal network load balancers, and global load balancers. For internal network load balancers, use eth0 for both public and internal configurations (instead of eth1 for internal load balancers on traditional Droplets). See Configure Droplets for Network Load Balancers. External network load balancers (ENLB) are not supported in the public preview.

Use Private Droplets with Other Products

Load Balancers

Private Droplets work as backends for the following load balancer types:

  • Regional HTTP load balancers (external and internal) connect to Private Droplets via the VPC network automatically.
  • Internal network load balancers require the same backend Droplet routing configuration as traditional Droplets, but use eth0 for both public and internal configurations. See Configure Droplets for Network Load Balancers.
  • Global load balancers connect to Private Droplets via the VPC network.

External network load balancers (ENLB) are not supported in the public preview.

Because Private Droplets have no public interface, all load balancer traffic reaches them through the VPC. The load balancer provides public ingress for services running on Private Droplets.

NAT Gateway

When a VPC has a NAT gateway set as the default route, Private Droplets route outbound internet traffic through it automatically. No manual route configuration is required.

For details on creating and configuring a NAT gateway, see How to Create a NAT Gateway.

VPC Peering

Private Droplets support VPC peering without additional route configuration. When two VPCs are peered, Private Droplets in either VPC can communicate with resources in the other VPC over their private IP addresses.

For details, see How to Create a VPC Peering.

Partner Network Connect

Partner Network Connect operates at the VPC level. Private Droplets in a VPC with a Partner Network Connect attachment can communicate with the connected on-premises or third-party network over their private IP addresses without additional configuration.

DigitalOcean Kubernetes (DOKS)

DOKS clusters do not currently use Private Droplets for worker nodes. DOKS worker nodes are provisioned as traditional Droplets with both public and private interfaces. Private Droplets created outside the cluster can communicate with DOKS worker nodes over the VPC network if they share the same VPC or are connected via VPC peering.

Limitations and Known Issues

  • Custom images are not supported.
  • Public static IPv6 addresses cannot be enabled at creation time or assigned later.
  • Reserved IPv4, Reserved IPv6, and BYOIP addresses cannot be assigned to Private Droplets.
  • Existing Droplets cannot be converted to Private Droplets.
  • The availability of this feature on different official DigitalOcean images is subject to change.
  • Private Droplets cannot be created from the control panel during the public preview. Use the API, doctl, or Terraform instead.
  • Private Droplets are visible in the control panel like any other Droplet; however, only the VPC IP is shown.

FAQ

How do I get outbound internet access with a Private Droplet?

Preferably, use a VPC NAT gateway, or configure your own.

How do I SSH into a Private Droplet?

Set up a bastion host (jump host) by using a traditional Droplet with a public IPv4 address. SSH to the bastion host first, then connect to your Private Droplet using its private IP address, using the ssh -J or ProxyJump directive. For bastion host configuration and security best practices, see VPC Best Practices.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.