# How to Send Outbound Traffic Over a Reserved IP DigitalOcean Reserved IPs are publicly-accessible static IPv4 and IPv6 addresses. Assign and reassign reserved IP addresses to Droplets as needed, or implement an automated failover mechanism with reserved IPs to build a high availability infrastructure. You can configure your Droplet’s network settings to send outbound traffic over a reserved IP address assigned to the Droplet. This causes traffic to originate from the reserved IP address instead of the Droplet’s original address. For reserved IPv4, follow the sections below. For reserved IPv6, see [Reserved IPv6](#ipv6). ## Prerequisites To configure a Droplet to send its outbound traffic over a reserved IP address, you must first [assign the reserved IP address to the Droplet](https://docs.digitalocean.com/products/networking/reserved-ips/how-to/create/index.html.md) and then obtain the Droplet’s gateway anchor IP address. Most Droplets already have an anchor IP, but Droplets created before October 2015 and Droplets created using [custom images](https://docs.digitalocean.com/products/custom-images/index.html.md) don’t have anchor IPs assigned by default. On Droplets without an anchor IP, first [manually assign an anchor IP to the Droplet](https://docs.digitalocean.com/products/networking/reserved-ips/how-to/manually-enable/index.html.md#enable-anchor-ips-immediately), then continue following this guide. On Droplets with an anchor IP, get the gateway address by querying its [metadata](https://docs.digitalocean.com/reference/api/metadata/index.html.md) using a `curl` request. The `-s` flag mutes any progress meters or error messages and returns only the output. ```shell curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/gateway ``` The command returns the anchor IP’s gateway address. You need to use this address to update your server’s default IPv4 gateway, enabling outbound traffic from your reserved IP. ## Enable Outbound Reserved IP Traffic Immediately To immediately update your network configuration, use the `ip route` command to add this address as the gateway for the default route. The following command removes the default route from your Droplet’s public network interface and replaces it with a route that uses the anchor’s gateway IP address. Replace `` with the IP address you retrieved in the previous step: ```shell sudo sh -c "ip route del 0/0; ip route add default via dev eth0" ``` The command may take a moment to complete and prints no output. Verify that the Droplet’s traffic is being routed through the reserved IP address by sending a `curl` request to `icanhazip.com`, a website that returns the request’s originating public IP. The `-4` flag instructs `curl` to use the Droplet’s IPv4 address only: ```shell curl -4 https://icanhazip.com/ ``` Changes made with the `ip route` command are lost when you restart your Droplet. To make the setting persist after reboot, you need to modify the Droplet’s network configuration files. How you do this depends on which operating system you’re using. ## Persist Outbound Reserved IP Traffic After Reboot First, disable cloud-init’s automatic network configuration, otherwise your settings could be overwritten: ```shell echo "network: {config: disabled}" | sudo tee /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg ``` ## Ubuntu 20.04+, Debian 12+ Open the Droplet’s network interface configuration file: ```shell sudo nano /etc/netplan/50-cloud-init.yaml ``` Under the `eth0` configuration, update the `via` field under the `routes` section to use the Droplet’s anchor IP gateway address: `/etc/netplan/50-cloud-init.yaml` ```yaml network: version: 2 ethernets: eth0: addresses: - 203.0.113.216/20 - 10.17.0.5/16 match: macaddress: da:f8:7a:69:ce:ea mtu: 1500 nameservers: addresses: - 67.207.67.2 - 67.207.67.3 search: [] routes: - to: 0.0.0.0/0 via: set-name: eth0 eth1: addresses: - 10.132.0.5/16 match: macaddress: a6:08:53:fb:fb:7d mtu: 1500 nameservers: addresses: - 67.207.67.2 - 67.207.67.3 search: [] set-name: eth1 ``` This updates the default gateway for the interface. Save and close the configuration file, then use the `netplan` command to apply the changes: ```shell sudo netplan apply ``` Verify that the changes to your network now persist through a reboot: ```shell sudo reboot ``` ## Debian 11 Open the Droplet’s network interface configuration file: ```shell sudo nano /etc/network/interfaces ``` Update the `gateway` field with the Droplet’s anchor IP gateway address: `/etc/network/interfaces` ```text auto lo iface lo inet loopback dns-nameservers 67.207.67.2 67.207.67.3 auto eth0 iface eth0 inet static hwaddress 5e:6c:28:98:28:ce address 203.0.113.216 netmask 255.255.240.0 gateway post-up ifup eth0:1 ``` This updates the default gateway for the interface. Save and close the configuration file. Then run the following command to check the configuration’s syntax and apply the network changes: ```shell sudo systemctl restart networking ``` Verify that the changes to your network now persist through a reboot: ```shell sudo reboot ``` ## Fedora 38 Open the Droplet’s public network interface configuration file: ```shell nano /etc/NetworkManager/system-connections/cloud-init-eth0.nmconnection ``` Under the `[ipv4]` section, replace the second IP address in the `route1` field with your Droplet’s anchor gateway IP address: `/etc/NetworkManager/system-connections/cloud-init-eth0.nmconnection` ```ini [connection] id=cloud-init eth0 uuid=1dd9a779-d327-56e1-8454-c65e2556c12c type=ethernet [user] org.freedesktop.NetworkManager.origin=cloud-init [ethernet] mtu=1500 mac-address=E2:67:39:7C:55:85 [ipv4] method=manual may-fail=false address1=143.110.211.104/20 route1=0.0.0.0/0, address2=10.20.0.7/16 ``` This updates the default gateway for the interface. Save and close the file, then reboot the Droplet: ```shell sudo reboot ``` ## CentOS 8+, AlmaLinux 9, Rocky Linux 9 Open the Droplet’s public network interface configuration file: ```shell sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0 ``` Update the `GATEWAY=` field with the Droplet’s anchor gateway IP address: `/etc/sysconfig/network-scripts/ifcfg-eth0` ```shell BOOTPROTO=none DEFROUTE=yes DEVICE=eth0 GATEWAY= HWADDR=36:7d:f2:8d:72:15 IPADDR=203.0.113.216 IPADDR1=10.17.0.5 MTU=1500 NETMASK=255.255.240.0 NETMASK1=255.255.0.0 ONBOOT=yes TYPE=Ethernet USERCTL=no ``` This updates the default gateway for the interface. Save and close the configuration file, then reboot the Droplet: ```shell sudo reboot ``` Once the Droplet has rebooted, log back in to the Droplet and verify that its traffic is being routed through the reserved IP address by sending another `curl` request to `icanhazip.com`: ```shell curl -4 https://icanhazip.com/ ``` ## Disable Outbound Reserved IP Traffic To reverse this change, first retrieve the gateway address of the Droplet’s public interface: ```shell curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/gateway ``` The command returns the interface’s gateway address. Use the `ip route` command to remove the reserved IP gateway and add back the original gateway address of the Droplet. Replace `` with the IP address you retrieved in the previous step: ```shell sudo sh -c "ip route del 0/0; ip route add default via dev eth0" ``` The command may take a moment to complete and prints no output. Verify that the Droplet’s traffic is being routed through its assigned IP address by sending a `curl` request to `icanhazip.com`, a website that returns the request’s originating public IP. The `-4` flag instructs `curl` to use the Droplet’s IPv4 address only: ```shell curl -4 https://icanhazip.com/ ``` Changes made with the `ip route` command are lost when you restart your Droplet. If you followed the [Persist Outbound Reserved IP Traffic After Reboot](#persist-outbound-reserved-ip-traffic-after-reboot) section above, you need to revert those changes, as well. Follow those directions again using the gateway address of the Droplet’s public interface that you retrieved at the beginning of this section. ## Reserved IPv6 By default, the [Enable Reserved IPv6](https://docs.digitalocean.com/products/networking/reserved-ips/how-to/manually-enable/index.html.md#enable-reserved-ipv6) script assigns the reserved IPv6 address to the Droplet’s loopback interface and configures a default route. If the Droplet does not have a static IPv6 address, outbound traffic automatically uses the reserved IPv6 as its source address. If the Droplet has a static IPv6, outbound traffic continues to use the static IPv6 as its source by default. To explicitly configure outbound traffic to use the reserved IPv6 as its source address, use the following modified script. This script sets the `src` parameter on IPv6 routes and, if the Droplet has a static IPv6, also updates the subnet route. ```bash #!/bin/bash -eu IFACE_ETH0="eth0" IFACE_LO="lo" PREFIX_LEN="128" # get Droplet metadata md=$(curl -s 169.254.169.254/metadata/v1.json) # get reserved IPv6 info from metadata md_rip6_json=$(echo "${md}" | jq -r '.reserved_ip.ipv6') # get static IPv6 subnet from metadata static_ipv6_subnet="$(echo "${md}" | jq -r '.interfaces.public[0].ipv6.gateway')/64" case "$(echo "${md_rip6_json}" | jq -r '.active')" in "true") # if active, set up interface and routes rip6=$(echo "${md_rip6_json}" | jq -r '.ip_address') ip -6 addr replace "${rip6}/${PREFIX_LEN}" dev ${IFACE_LO} scope global echo "Assigned ${rip6}/${PREFIX_LEN} to ${IFACE_LO}" ip -6 route replace default dev ${IFACE_ETH0} src ${rip6} echo "Created default IPv6 route via ${IFACE_ETH0} with source ${rip6}" # if the Droplet has a static IPv6, update the subnet route # to also use the reserved IPv6 as the source address if [[ "${static_ipv6_subnet}" != "null/64" && "${static_ipv6_subnet}" != "/64" ]]; then ip -6 route delete ${static_ipv6_subnet} dev ${IFACE_ETH0} ip -6 route add ${static_ipv6_subnet} dev ${IFACE_ETH0} src ${rip6} echo "Updated static IPv6 subnet route with source ${rip6}" fi ;; "false") # if inactive, clean up interface and routes ip -6 addr flush dev ${IFACE_LO} scope global echo "Removed all Reserved IPv6 addresses from ${IFACE_LO}" # if the Droplet has a static IPv6, restore routes to their # original state without the reserved IPv6 source address if [[ "${static_ipv6_subnet}" != "null/64" && "${static_ipv6_subnet}" != "/64" ]]; then ip -6 route replace default dev ${IFACE_ETH0} echo "Restored default IPv6 route via ${IFACE_ETH0}" ip -6 route replace ${static_ipv6_subnet} dev ${IFACE_ETH0} echo "Restored static IPv6 subnet route" elif [[ "$(ip -6 route show default dev ${IFACE_ETH0})" != "" && "$(ip -6 addr show dev ${IFACE_ETH0} scope global)" == "" ]]; then ip -6 route delete default dev ${IFACE_ETH0} echo "Deleted default IPv6 route via ${IFACE_ETH0}" fi ;; esac ``` This script requires `jq` and `curl`. Run it directly on the command line to verify it is functioning properly, then create a cron job or systemd timer to run it periodically. To verify that outbound traffic uses the reserved IPv6, run: ```shell curl https://ipv6.icanhazip.com/ ``` The command should return your reserved IPv6 address. If it returns the Droplet’s static IPv6 address instead, verify that the script ran successfully and that routes include the `src` parameter by running `ip -6 route show`. **Note**: This script replaces the basic enable script from the [Enable Reserved IPv6](https://docs.digitalocean.com/products/networking/reserved-ips/how-to/manually-enable/index.html.md#enable-reserved-ipv6) page. If you use this script, you do not need to run the enable script separately.