How to Send Outbound Traffic Over a Reserved IP
A DigitalOcean Reserved IP address is a publicly-accessible static IP address that you can assign to a Droplet and then reassign to another Droplet later, as needed. You can implement a failover mechanism with reserved IPs to build a high availability infrastructure.
Note
You can configure your Droplet’s network settings to send outbound traffic over a reserved IP address assigned to the Droplet. This causes traffic to originate from the reserved IP address instead of the Droplet’s original IPv4 address.
Originating traffic from a reserved IP address can simplify firewall management. To allow traffic to and from your Droplet, you no longer need to create separate rules for sending and receiving IP addresses. You also don’t need to change or add rules if you reassign the reserved IP to a new Droplet.
To configure a Droplet to send its outbound traffic over a reserved IP address assigned to it, you need the gateway address of the Droplet’s anchor IP address.
Most Droplets already have an anchor IP, but Droplets created before October 2015 and Droplets created using custom images don’t have anchor IPs assigned by default.
On Droplets without an anchor IP, first manually assign an anchor IP to the Droplet, then continue following this guide.
On Droplets with an anchor IP, get the gateway address by querying its metadata using a curl request. The -s flag in the request mutes any progress meters or error messages and just returns the output.
curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway
The command returns an IPv4 address, like 198.51.100.237, which is the anchor IP’s gateway address. You will use this address to update your server’s default IPv4 gateway, enabling outbound traffic from your reserved IP.
Enable Outbound Reserved IP Traffic Immediately
To immediately update your network configuration, use the ip route command to add this address as the gateway for the default route. The following command removes the default route from your Droplet’s public network interface and replaces it with a route that uses the anchor’s gateway IP address. Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the previous step:
sudo sh -c "ip route del 0/0; ip route add default via <anchor-gateway-IP-address> dev eth0"
The command may take a moment to complete, and it will print no output.
Tip
Checking the outbound IP: you can verify that the Droplet’s traffic is being routed through the reserved IP address by running another curl request:
curl -4 https://icanhazip.com/
The -4 flag instructs curl to use IPv4 only. The command fetches the icanhazip.com site, which responds with the public IP address the request originated from. It should return your reserved IP address, indicating that outbound traffic is going through the updated gateway IP.
Changes made with the ip route command will be lost when your Droplet is restarted. To make the setting persist after reboot you need to modify the Droplet’s network configuration files. How you do this depends on which operating system you’re using.
Persist Outbound Reserved IP Traffic After Reboot
First, disable cloud-init’s automatic network configuration, otherwise your settings could be overwritten:
echo "network: {config: disabled}" | sudo tee /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
Ubuntu 20.04 uses NetPlan to handle network configuration. Open the NetPlan file that cloud-init configured:
sudo nano /etc/netplan/50-cloud-init.yaml
Update the via entry under routes for the eth0 interface, highlighted below:
network:
version: 2
ethernets:
eth0:
addresses:
- 203.0.113.216/20
- 10.17.0.5/16
match:
macaddress: da:f8:7a:69:ce:ea
mtu: 1500
nameservers:
addresses:
- 67.207.67.2
- 67.207.67.3
search: []
routes:
- to: 0.0.0.0/0
via: <anchor-gateway-IP-address>
set-name: eth0
eth1:
addresses:
- 10.132.0.5/16
match:
macaddress: a6:08:53:fb:fb:7d
mtu: 1500
nameservers:
addresses:
- 67.207.67.2
- 67.207.67.3
search: []
set-name: eth1
Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the first step. This updates the default gateway for the interface.
Save and close the configuration file, then use the netplan command to apply the changes:
sudo netplan apply
Finally, verify that the changes to your network now persist through a reboot.
Open /etc/network/interfaces:
sudo nano /etc/network/interfaces
Update the gateway variable highlighted below:
auto lo
iface lo inet loopback
dns-nameservers 67.207.67.2 67.207.67.3
auto eth0
iface eth0 inet static
hwaddress 5e:6c:28:98:28:ce
address 203.0.113.216
netmask 255.255.240.0
gateway <anchor-gateway-IP-address>
post-up ifup eth0:1
Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the first step. This updates the default gateway for the interface.
Save and close the configuration file. Then run the following command to check the configuration’s syntax and apply the network changes:
sudo systemctl restart networking
Finally, verify that the changes to your network now persist through a reboot.
Open /etc/sysconfig/network-scripts/ifcfg-eth0:
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
Update the GATEWAY= variable highlighted below:
BOOTPROTO=none
DEFROUTE=yes
DEVICE=eth0
GATEWAY=<anchor-gateway-IP-address>
HWADDR=36:7d:f2:8d:72:15
IPADDR=203.0.113.216
IPADDR1=10.17.0.5
MTU=1500
NETMASK=255.255.240.0
NETMASK1=255.255.0.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the first step. This updates the default gateway for the interface.
Save and close the configuration file, then use nmcli to restart networking on your Droplet:
sudo sh -c "nmcli networking off; nmcli networking on"
Finally, verify that the changes to your network now persist through a reboot.