> **For AI agents:** The documentation index is at [https://docs.digitalocean.com/llms.txt](https://docs.digitalocean.com/llms.txt). Markdown versions of pages use the same URL with `index.html.md` in place of the HTML page (for example, append `index.html.md` to the directory path instead of opening the HTML document). # Private Droplets (public) DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure. Private Droplets are Droplets with VPC-only networking and no direct public connectivity. They are designed to work with VPC products like VPC peering, VPC NAT gateway, and VPC private DNS without additional configuration. Private Droplets provide: - VPC peering and VPC NAT gateway integration without additional configuration. - Automatic use of the private DNS resolver when you create a Private Droplet in a VPC with a NAT gateway. - Automatic peering support when you peer the VPC with another VPC. - Automatic outbound internet connectivity when the NAT gateway is configured as the default route for the VPC. This enables downloading artifacts like Docker images and files from Spaces buckets. ## Key Differences The following diagram shows the key differences between traditional and Private Droplets. ``` flowchart LR Internet[(global-data-centers icon Internet)] subgraph VPCA["virtual-private-cloud icon VPC A 10.0.0.0/16"] direction TB V1["standard-droplet icon Traditional Droplet
eth0: Public IPv4
eth1: Private IPv4"] V2["standard-droplet icon Private Droplet
eth0: Private IPv4 Only"] NAT[load-balancers icon NAT Gateway] VDNS[DNS icon VPC DNS Resolver] end subgraph VPCB["virtual-private-cloud icon VPC B 10.1.0.0/16"] DropB[standard-droplet icon Droplet] end VPCA <-->|VPC Peering| VPCB V1 --> Internet V2 --> NAT --> Internet V2 --> VDNS ``` ### Traditional Droplets - Two network interfaces: public IPv4 (eth0) and private IPv4 (eth1). - Direct internet access through public interface or Reserved IP. - Can use public DNS resolvers or VPC-local DNS. ### Private Droplets - Single private IPv4 interface (eth0). - Internet access only through VPC NAT gateway. - Uses VPC-local DNS resolver for improved performance. - No direct public ingress except from a regional or global load balancer. ## Overview ### Pricing Private Droplets do not have additional costs beyond standard Droplet pricing. ### Features - No direct public connectivity by default. - VPC-native networking that integrates automatically with VPC products. - Automatic private DNS resolution in VPCs with NAT gateways. - Support for VPC peering without additional configuration. ### Availability Private Droplets are available in all regions. ### Feedback and Support Private Droplets are in [public preview](https://docs.digitalocean.com/platform/product-lifecycle/index.html.md#public-preview). All customers can opt in from the [**Feature Preview** page](https://cloud.digitalocean.com/account/feature-preview). Public previews receive [full support](https://docs.digitalocean.com/platform/support-plans/index.html.md). We expect but do not guarantee that public previews perform for production-level workloads. [Our terms of service](https://www.digitalocean.com/legal/terms-of-service-agreement) govern your use of DigitalOcean and cover details of eligibility, content, use, payments and billing, and warranties. ## Prerequisites The example that follows requires access to the DigitalOcean API and `curl`. - [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with the API. - The `curl` command is installed by default on most operating systems. Refer to your operating system documentation to install the `curl` package if necessary. ## How to Create a Private Droplet ### Using the API Send a `POST` request to the `/v2/droplets` endpoint, specifying the `public_networking` parameter: ```shell curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ -d '{ "name": "my-private-droplet", "region": "sfo3", "size": "s-1vcpu-1gb", "image": "ubuntu-24-04-x64", "ssh_keys": [ "de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef" ], "monitoring": true, "with_droplet_agent": true, "public_networking": false }' \ "https://api.digitalocean.com/v2/droplets" ``` The API returns information about the newly created Private Droplet. For details on the response format, see the [Create a New Droplet API documentation](https://docs.digitalocean.com/reference/api/digitalocean/index.html.md#operation/droplets_create). ### Using doctl ## How to Create a New Droplet Using the DigitalOcean CLI 1. [Install `doctl`](https://docs.digitalocean.com/reference/doctl/how-to/install/index.html.md), the official DigitalOcean CLI. 2. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with `doctl`. 3. Use the token to grant `doctl` access to your DigitalOcean account. ```shell doctl auth init ``` 4. Finally, run `doctl compute droplet create`. Basic usage looks like this, but you can [read the usage docs](https://docs.digitalocean.com/reference/doctl/reference/compute/droplet/create/index.html.md) for more details: ```shell doctl compute droplet create ... [flags] ``` The following example creates a Droplet named `example-droplet` with a two vCPUs, two GiB of RAM, and 20 GBs of disk space. The Droplet is created in the `nyc1` region and is based on the `ubuntu-20-04-x64` image. Additionally, the command uses the `--user-data` flag to run a Bash script the first time the Droplet boots up: doctl compute droplet create example-droplet –size s-2vcpu-2gb –image ubuntu-20-04-x64 –region nyc1 –user-data $’#!/bin/bash\\n touch /root/example.txt; sudo apt update;sudo snap install doctl' Please note: In Windows Powershell, the example command would be the following instead: ```` ```shell doctl compute droplet create example-droplet --size s-2vcpu-2gb --image ubuntu-20-04-x64 --region nyc1 --user-data "#!/bin/bash`n touch /root/example.txt; sudo apt update;sudo snap install doctl" ``` ```` ### Using Terraform You can create Private Droplets with the [DigitalOcean Terraform provider](https://docs.digitalocean.com/reference/terraform/index.html.md). See the [`digitalocean_droplet` resource documentation](https://docs.digitalocean.com/reference/terraform/reference/resources/droplet/index.html.md) for the available attributes. ## Networking Differences from Traditional Droplets Private Droplets have a single private network interface (`eth0`) instead of the two interfaces (`eth0` public, `eth1` private) used by traditional Droplets: - **No public interface.** The `interfaces/public` metadata path is absent. Use `interfaces/private/0/ipv4/address` to retrieve the Droplet’s IP address from the [metadata API](https://docs.digitalocean.com/products/droplets/how-to/access-metadata/index.html.md). - **NAT gateway routing is automatic.** When the VPC has a NAT gateway set as the default route, Private Droplets route outbound traffic through it without manual route configuration. You do not need the metadata route workaround (`ip route add 169.254.169.254`) described in [Configure Droplets for NAT Gateway](https://docs.digitalocean.com/products/networking/vpc/how-to/configure-droplet-nat-gateway/index.html.md). - **VPC peering routes are automatic.** Private Droplets do not need manual peering route updates. See [Update Peering Routes](https://docs.digitalocean.com/products/networking/vpc/how-to/update-peering-routes/index.html.md). - **Load balancer backends.** Private Droplets work as backends for regional HTTP load balancers, internal network load balancers, and global load balancers. For internal network load balancers, use `eth0` for both public and internal configurations (instead of `eth1` for internal load balancers on traditional Droplets). See [Configure Droplets for Network Load Balancers](https://docs.digitalocean.com/products/networking/load-balancers/how-to/configure-droplets-for-nlb/index.html.md). External network load balancers (ENLB) are not supported in the public preview. ## Use Private Droplets with Other Products ### Load Balancers Private Droplets work as backends for the following load balancer types: - **Regional HTTP load balancers** (external and internal) connect to Private Droplets via the VPC network automatically. - **Internal network load balancers** require the same backend Droplet routing configuration as traditional Droplets, but use `eth0` for both public and internal configurations. See [Configure Droplets for Network Load Balancers](https://docs.digitalocean.com/products/networking/load-balancers/how-to/configure-droplets-for-nlb/index.html.md). - **Global load balancers** connect to Private Droplets via the VPC network. External network load balancers (ENLB) are not supported in the public preview. Because Private Droplets have no public interface, all load balancer traffic reaches them through the VPC. The load balancer provides public ingress for services running on Private Droplets. ### NAT Gateway When a VPC has a NAT gateway set as the default route, Private Droplets route outbound internet traffic through it automatically. No manual route configuration is required. For details on creating and configuring a NAT gateway, see [How to Create a NAT Gateway](https://docs.digitalocean.com/products/networking/vpc/how-to/create-nat-gateway/index.html.md). ### VPC Peering Private Droplets support VPC peering without additional route configuration. When two VPCs are peered, Private Droplets in either VPC can communicate with resources in the other VPC over their private IP addresses. For details, see [How to Create a VPC Peering](https://docs.digitalocean.com/products/networking/vpc/how-to/create-peering/index.html.md). ### Partner Network Connect [Partner Network Connect](https://docs.digitalocean.com/products/networking/vpc/how-to/create-partner-attachment/index.html.md) operates at the VPC level. Private Droplets in a VPC with a Partner Network Connect attachment can communicate with the connected on-premises or third-party network over their private IP addresses without additional configuration. ### DigitalOcean Kubernetes (DOKS) DOKS clusters do not currently use Private Droplets for worker nodes. DOKS worker nodes are provisioned as traditional Droplets with both public and private interfaces. Private Droplets created outside the cluster can communicate with DOKS worker nodes over the VPC network if they share the same VPC or are connected via VPC peering. ## Limitations and Known Issues - Custom images are not supported. - Public static IPv6 addresses cannot be enabled at creation time or assigned later. - Reserved IPv4, Reserved IPv6, and BYOIP addresses cannot be assigned to Private Droplets. - Existing Droplets cannot be converted to Private Droplets. - The availability of this feature on different official DigitalOcean images is subject to change. - Private Droplets cannot be created from the control panel during the public preview. Use the API, `doctl`, or Terraform instead. - Private Droplets are visible in the control panel like any other Droplet; however, only the VPC IP is shown. ## FAQ ### How do I get outbound internet access with a Private Droplet? Preferably, use a [VPC NAT gateway](https://docs.digitalocean.com/products/networking/vpc/how-to/create-nat-gateway/index.html.md), or configure your own. ### How do I SSH into a Private Droplet? Set up a bastion host (jump host) by using a traditional Droplet with a public IPv4 address. SSH to the bastion host first, then connect to your Private Droplet using its private IP address, using the `ssh -J` or `ProxyJump` directive. For bastion host configuration and security best practices, see [VPC Best Practices](https://docs.digitalocean.com/products/networking/vpc/concepts/best-practices/index.html.md).