VPC Features
Validated on 19 Nov 2025 • Last edited on 19 Nov 2025
A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage. You can link VPC networks to each other using VPC peering connections.
A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are private networks that contain collections of resources that are isolated from the public internet and other VPC networks within your account, project or between teams in the same datacenter region. This means your resources, such as Droplets and databases, can reside in a network that is only accessible to other resources in the same network.
You can use VPC networks to organize and isolate resources in a more secure infrastructure for your applications, execution environments, and tenancies. VPC networks provide control over your networking environment: you can choose your network’s IP range, set up cloud firewalls, configure NAT gateways, connect VPC networks through peering, and connect to external networks through Partner Network Connect.
You can create a variety of new resources in a VPC network, but you can’t migrate all kinds of resources between networks. The following table lists DigitalOcean resources compatible with VPC networks and which ones support migration:
| Resource Type | Create within VPCs | Migrate between VPCs |
|---|---|---|
| Droplets | Creation supported. | Migration supported using snapshots. |
| Managed databases | Creation supported. | Native migration supported. |
| Kubernetes clusters | Creation supported. | Not supported. |
| Load balancers | Creation supported. | Not supported. |
| NAT gateways (currently in public preview) | Creation supported. | Not supported. |
| Spaces | Not applicable. | Not applicable. |
| Volumes | Not applicable. | Not applicable. |
Internet Gateways
Internet gateways route traffic between your VPC resources and the public internet. This enables isolating backend resources while maintaining controlled internet connectivity.
NAT Gateways
DigitalOcean provides a managed Network Address Translation (NAT) Gateway service that centralizes outbound internet access for resources within a VPC network in a datacenter.
NAT Gateways provide:
- Fully managed service maintained by DigitalOcean
- High availability and scalability
- Simple configuration and maintenance
- Enhanced security features
The following diagrams contrast how traffic is routed without and with a NAT Gateway.
Network without Internet Gateway
flowchart LR
subgraph Datacenter Region
subgraph VPC 10.0.220.0/16
ServerA(<img alt="SSDs icon" src="https://docs.digitalocean.com/images/icons/diagram/SSDs.1b6b4e826c1f734f8051e47497cc8d5894e8593444ec007b158928cc2cd61e21.svg" class="mermaid-icon" /> Web Server)
ServerB(<img alt="SSDs icon" src="https://docs.digitalocean.com/images/icons/diagram/SSDs.1b6b4e826c1f734f8051e47497cc8d5894e8593444ec007b158928cc2cd61e21.svg" class="mermaid-icon" /> Web Server)
ServerC(<img alt="SSDs icon" src="https://docs.digitalocean.com/images/icons/diagram/SSDs.1b6b4e826c1f734f8051e47497cc8d5894e8593444ec007b158928cc2cd61e21.svg" class="mermaid-icon" /> Web Server)
end
end
ServerA --> Internet(<img alt="global-data-centers icon" src="https://docs.digitalocean.com/images/icons/diagram/global-data-centers.0ae9dbf9cd223ee5dc3ad44d496d5f74d801c59f6c8a19cf0d3532200a374888.svg" class="mermaid-icon" /> Internet)
ServerB --> Internet
ServerC --> Internet
Network with NAT Gateway
flowchart LR
subgraph Datacenter Region
subgraph VPC 10.0.220.0/16
ServerA(<img alt="SSDs icon" src="https://docs.digitalocean.com/images/icons/diagram/SSDs.1b6b4e826c1f734f8051e47497cc8d5894e8593444ec007b158928cc2cd61e21.svg" class="mermaid-icon" /> Web Server) --> NATGateway(<img alt="load-balancers icon" src="https://docs.digitalocean.com/images/icons/diagram/load-balancers.1624ac0bbbc110a344dd677a12b6c9c5aa2aa9fa63c2aa61358b03eacf0bcc40.svg" class="mermaid-icon" /> NAT Gateway)
ServerB(<img alt="SSDs icon" src="https://docs.digitalocean.com/images/icons/diagram/SSDs.1b6b4e826c1f734f8051e47497cc8d5894e8593444ec007b158928cc2cd61e21.svg" class="mermaid-icon" /> Web Server) --> NATGateway
ServerC(<img alt="SSDs icon" src="https://docs.digitalocean.com/images/icons/diagram/SSDs.1b6b4e826c1f734f8051e47497cc8d5894e8593444ec007b158928cc2cd61e21.svg" class="mermaid-icon" /> Web Server) --> NATGateway
end
end
NATGateway --> Internet(<img alt="global-data-centers icon" src="https://docs.digitalocean.com/images/icons/diagram/global-data-centers.0ae9dbf9cd223ee5dc3ad44d496d5f74d801c59f6c8a19cf0d3532200a374888.svg" class="mermaid-icon" /> Internet)
NAT Gateway Features
The following table details the specific features and functionality of NAT Gateways:
| Feature | Description |
|---|---|
| Size tiers | Available in 1-16 increments. Each increment provides 25 Mbps of symmetrical bandwidth and 100 GiB of outbound data transfer per month. |
| Timeouts | Configure idle timeout values for TCP, UDP, and ICMP connections. |
| Default gateway | Set one NAT gateway as the default gateway for a VPC. Droplets configured to use the VPC gateway IP automatically route through the default NAT gateway without requiring manual route updates when switching gateways. |
| Redundancy | Create multiple NAT gateways in a single VPC for redundancy or capacity scaling. Only one can be set as the default gateway at a time. |
| Static egress IPs | Each NAT gateway receives one or more static public IP addresses for outbound traffic, simplifying firewall allowlist management. |
To learn how to set up NAT Gateways, see How to Create a NAT Gateway. For implementation guidance and security considerations, see VPC Best Practices.