How to Connect to a Private Droplet
Validated on 12 Jun 2026 • Last edited on 19 Jun 2026
DigitalOcean Droplets are Linux-based virtual machines (VMs) that run on top of virtualized hardware. Each Droplet you create is a new server you can use, either standalone or as part of a larger, cloud-based infrastructure.
Private Droplets have no public network interface and cannot be reached directly from the internet. To connect with SSH, route your session through a bastion host (jump host): a Droplet with a public IP address in the same VPC as the Private Droplet, or in a VPC peered with it.
Prerequisites
- A Private Droplet. Note the Droplet’s VPC IP address, visible in the DigitalOcean Control Panel under Connection Details, or from the bastion host using the metadata API (
interfaces/private/0/ipv4/address). - A Droplet with a public IP address in the same VPC as the Private Droplet, or in a VPC peered with it, to act as the bastion host.
- Your SSH public key installed on both Droplets. See How to Add SSH Keys to Droplets.
- If you use a cloud firewall, an inbound rule allowing TCP traffic on port
22to the bastion host, and a rule allowing SSH from the bastion host’s VPC IP (or the VPC CIDR) to the Private Droplet.
Set Up a Bastion Host
If you do not already have a bastion host, set one up before connecting:
-
Create a Droplet with a public IP address in the same VPC as the Private Droplet. Use the same region as the Private Droplet.
-
Assign the same SSH public key you use for the Private Droplet, or another key you trust for bastion access.
-
Restrict SSH on the bastion host to trusted sources. For example, attach a cloud firewall that allows inbound TCP port
22only from your office or home IP address. -
Confirm you can SSH to the bastion host directly from your local machine, replacing
<bastion-user>and<bastion-public-ip>with your own values:ssh <bastion-user>@<bastion-public-ip>
A Droplet in a peered VPC can also serve as the bastion host. For details on peering, see How to Create a VPC Peering.
Connect Using ssh -J
The -J flag tells SSH to connect to the destination through one or more jump hosts. Your local machine opens a connection to the bastion host, then forwards the connection to the Private Droplet over the VPC network.
Run the following command, replacing <bastion-user> with the username on the bastion host, <bastion-public-ip> with the bastion host’s public IP address, <private-user> with the username on the Private Droplet, and <private-vpc-ip> with the Private Droplet’s VPC IP address:
ssh -J <bastion-user>@<bastion-public-ip> <private-user>@<private-vpc-ip>For example:
Use Different SSH Keys for the Bastion Host and Private Droplet
If the bastion host and Private Droplet use different SSH keys, specify each key in your SSH configuration file or on the command line.
Use SSH Config
Add entries for both Droplets to ~/.ssh/config. Create or open the file:
nano ~/.ssh/configAdd the following entries, replacing the placeholder values with your own:
Host bastion
HostName <bastion-public-ip>
User <bastion-user>
IdentityFile ~/.ssh/bastion_key
Host private-droplet
HostName <private-vpc-ip>
User <private-user>
IdentityFile ~/.ssh/private_droplet_key
ProxyJump bastionSave the file. You can then connect to the Private Droplet with:
ssh private-dropletUse Command-Line Flags
To specify both keys without editing your SSH config, use the -o ProxyCommand option to supply the bastion host key inline and -i to supply the Private Droplet key:
ssh -i ~/.ssh/private_droplet_key \
-o "ProxyCommand=ssh -i ~/.ssh/bastion_key -W %h:%p <bastion-user>@<bastion-public-ip>" \
<private-user>@<private-vpc-ip>Connect from a Peered VPC
If you have a Droplet in a VPC peered with the Private Droplet’s VPC, that Droplet can serve as the bastion host. VPC peering creates routes between both VPCs, so a Droplet in the peered VPC can reach the Private Droplet’s VPC IP directly.
The ssh -J command and ProxyJump SSH config approach work the same way: use the public IP of the Droplet in the peered VPC as the jump host, and the Private Droplet’s VPC IP as the destination.
For information on setting up VPC peering, see How to Create a VPC Peering.
Troubleshoot Connection Issues
If you cannot reach the Private Droplet, work through the following checks.
Bastion host is unreachable
- Try connecting to the bastion host directly from your local machine with
ssh <bastion-user>@<bastion-public-ip>. If the connection times out, check that your cloud firewall has an inbound rule allowing TCP port22to the bastion host. - Also check any host-based firewall (
ufw,iptables) on the bastion host.
Connection to the bastion host works, but SSH to the Private Droplet fails
- The Private Droplet is only reachable from within its VPC or from a peered VPC. Confirm both Droplets are in the same VPC, or that the VPCs are peered, in the Control Panel under Networking > VPC.
- Verify the Private Droplet’s VPC IP in the Control Panel under Connection Details, or from the bastion host with the metadata API (
interfaces/private/0/ipv4/address). Private Droplets have only a VPC IP, not a public IP. - Confirm the public key matching the identity file you are using is listed in
~/.ssh/authorized_keyson both the bastion host and the Private Droplet. Confirm the username as well: the default isrooton most DigitalOcean-provided images. - Check firewalls on the Private Droplet. The Private Droplet must allow SSH from the bastion host’s VPC IP, or from the VPC CIDR. A cloud firewall on the Private Droplet that blocks port
22from the VPC blocks the second hop.
NAT gateway does not provide inbound access
- A VPC NAT gateway provides outbound internet access for Private Droplets but does not accept inbound SSH connections. The bastion host must be a Droplet, not the NAT gateway.