How to Send Outbound Traffic Over a Reserved IP

DigitalOcean reserved IPs are publicly-accessible static IP addresses that you can assign to Droplets and instantly remap between other Droplets in the same datacenter. Implement a failover mechanism with reserved IPs to build a high availability infrastructure.

Note
The Floating IP service is now called Reserved IPs. The Reserved IP service retains the same functionality as the prior service.

You can configure your Droplet’s network settings to send outbound traffic over a reserved IP address assigned to the Droplet. This causes traffic to originate from the reserved IP address instead of the Droplet’s original IPv4 address.

Originating traffic from a reserved IP address can simplify firewall management. To allow traffic to and from your Droplet, you no longer need to create separate rules for sending and receiving IP addresses. You also don’t need to change or add rules if you reassign the reserved IP to a new Droplet.

To configure a Droplet to send its outbound traffic over a reserved IP address assigned to it, you need the gateway address of the Droplet’s anchor IP address.

Most Droplets already have an anchor IP, but Droplets created before October 2015 and Droplets created using custom images don’t have anchor IPs assigned by default.

On Droplets without an anchor IP, first manually assign an anchor IP to the Droplet, then continue following this guide.

On Droplets with an anchor IP, get the gateway address by querying its metadata using a curl request. The -s flag in the request mutes any progress meters or error messages and just returns the output.

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway

The command returns an IPv4 address, like 198.51.100.237, which is the anchor IP’s gateway address. You will use this address to update your server’s default IPv4 gateway, enabling outbound traffic from your reserved IP.

Enable Outbound Reserved IP Traffic Immediately

To immediately update your network configuration, use the ip route command to add this address as the gateway for the default route. The following command removes the default route from your Droplet’s public network interface and replaces it with a route that uses the anchor’s gateway IP address. Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the previous step:

sudo sh -c "ip route del 0/0; ip route add default via <anchor-gateway-IP-address> dev eth0"

The command may take a moment to complete, and it will print no output.

Tip

Checking the outbound IP: you can verify that the Droplet’s traffic is being routed through the reserved IP address by running another curl request:

curl -4 https://icanhazip.com/

The -4 flag instructs curl to use IPv4 only. The command fetches the icanhazip.com site, which responds with the public IP address the request originated from. It should return your reserved IP address, indicating that outbound traffic is going through the updated gateway IP.

Changes made with the ip route command will be lost when your Droplet is restarted. To make the setting persist after reboot you need to modify the Droplet’s network configuration files. How you do this depends on which operating system you’re using.

Persist Outbound Reserved IP Traffic After Reboot

First, disable cloud-init’s automatic network configuration, otherwise your settings could be overwritten:

echo "network: {config: disabled}" | sudo tee /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

Ubuntu 20.04 uses NetPlan to handle network configuration. Open the NetPlan file that cloud-init configured:

sudo nano /etc/netplan/50-cloud-init.yaml

Update the via entry under routes for the eth0 interface, highlighted below:

    
        
network:
    version: 2
    ethernets:
        eth0:
            addresses:
            - 203.0.113.216/20
            - 10.17.0.5/16
            match:
                macaddress: da:f8:7a:69:ce:ea
            mtu: 1500
            nameservers:
                addresses:
                - 67.207.67.2
                - 67.207.67.3
                search: []
            routes:
            -   to: 0.0.0.0/0
                via: <anchor-gateway-IP-address>
            set-name: eth0
        eth1:
            addresses:
            - 10.132.0.5/16
            match:
                macaddress: a6:08:53:fb:fb:7d
            mtu: 1500
            nameservers:
                addresses:
                - 67.207.67.2
                - 67.207.67.3
                search: []
            set-name: eth1

    

Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the first step. This updates the default gateway for the interface.

Save and close the configuration file, then use the netplan command to apply the changes:

sudo netplan apply

Finally, verify that the changes to your network now persist through a reboot.

Open /etc/network/interfaces:

sudo nano /etc/network/interfaces

Update the gateway variable highlighted below:

    
        
auto lo
iface lo inet loopback
        dns-nameservers  67.207.67.2 67.207.67.3

auto eth0
iface eth0 inet static
        hwaddress 5e:6c:28:98:28:ce
        address   203.0.113.216
        netmask   255.255.240.0
        gateway   <anchor-gateway-IP-address>
        post-up ifup eth0:1

    

Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the first step. This updates the default gateway for the interface.

Save and close the configuration file. Then run the following command to check the configuration’s syntax and apply the network changes:

sudo systemctl restart networking

Finally, verify that the changes to your network now persist through a reboot.

Open /etc/sysconfig/network-scripts/ifcfg-eth0:

sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0

Update the GATEWAY= variable highlighted below:

    
        
BOOTPROTO=none
DEFROUTE=yes
DEVICE=eth0
GATEWAY=<anchor-gateway-IP-address>
HWADDR=36:7d:f2:8d:72:15
IPADDR=203.0.113.216
IPADDR1=10.17.0.5
MTU=1500
NETMASK=255.255.240.0
NETMASK1=255.255.0.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no

    

Be sure to replace <anchor-gateway-IP-address> with the IP address you retrieved in the first step. This updates the default gateway for the interface.

Save and close the configuration file, then use nmcli to restart networking on your Droplet:

sudo sh -c "nmcli networking off; nmcli networking on"

Finally, verify that the changes to your network now persist through a reboot.