How to Configure a Droplet as a VPC Gateway

A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks provide a more secure connection between resources because the network is inaccessible from the public internet and other VPC networks. Traffic within a VPC network doesn’t count against bandwidth usage.


You can configure Droplets as internet gateways that let you access your VPC network from the internet. Gateways are commonly used to provide access to VPC networks from on-premise networks or applications while maintaining the isolation of the VPC network.

VPC network's with and without a gateway.

This guide explains how to configure gateway and backend Droplets for Ubuntu, Debian, and CentOS.

Warning
We recommend testing this configuration process before implementing it on Droplet critical to your infrastructure. Configuring internet gateways involves more complicated networking changes, and if something goes wrong, it could cause permanent connection problems.

To begin configuring your Droplets, choose the OS your Droplet’s use:

Configure Gateway Droplet

To configure your gateway Droplet, you need to configure its IP forwarding and the NAT settings.

Configure IP Forwarding

IP forwarding allows the Droplet to act as a router and forward packets to target Droplets within your VPC network.

To enable IP forwarding, connect to your Droplet and run:

sysctl -w net.ipv4.ip_forward=1

To persist these changes, open /etc/sysctl.conf in a text editor. Add the line net.ipv4.ip_forward=1 to the bottom of the file, then save it. Depending on your Linux distribution, this line may already exist in the file, commented out. In this case, uncomment it by deleting the # at the front of the line.

    
        
            
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

        
    

Configure NAT

Network address translation (NAT) converts the private IP addresses associated with your VPC network’s traffic to the IP address of your internet gateway, and vice versa. This allows the gateway to correctly route traffic between your VPC network and your on-premises network.

To configure your gateway’s NAT, install iptables:

sudo apt-get update
sudo apt-get install iptables

Using iptables, configure your Droplet to translate traffic from your VPC network’s subnet to the public IP of the Droplet using this command, replacing {vpc_network_prefix} with your VPC network’s private IP prefix and {public_interface_name} with your gateway’s public interface name:

iptables -t nat -A POSTROUTING -s {vpc_network_prefix} -o {public_interface_name} -j MASQUERADE

For example, if the VPC network’s prefix is 10.116.0.0/20 and the gateway’s public interface name is ens3, then the command would be iptables -t nat -A POSTROUTING -s 10.116.0.0/20 -o ens3 -j MASQUERADE.

To locate your VPC network’s prefix in the control panel, click Networking in the main menu, then select the VPC tab. From the list of VPC networks, locate the target network. The network’s prefix is listed beside the public name in the second column.

VPC network's name and prefix

Your Droplet’s public interface name can be found using the route command:

route -n | awk '$1 == "0.0.0.0" {print $8}'

To persist these changes so that the NAT rule is automatically enabled when the Droplet boots up, install iptables-persistent:

sudo apt-get install iptables-persistent

Upon successful installation, iptables-persistent asks if you want to save the current IPv4 rules. Select Yes.

To save future IPv4 rule changes, use the command iptables-save > /etc/iptables/rules.v4.

Configure Backend Droplets

You need to configure any Droplets accessing the internet via the gateway to accept traffic from the gateway.

First, log into the backend Droplet through the newly-created gateway. If you log into the backend Droplet using its public IP address, it will drop the SSH connection when you change the configuration. Execute this command from your local machine:

ssh -o ProxyCommand="ssh -W %h:%p [email protected]{public_IP_of_gateway_Droplet}" [email protected]{private_IP_of_backend_Droplet}

Once logged into the Droplet, add an IP route to your network configuration so the Droplet can retain access to its metadata endpoint (169.254.169.254). The metadata endpoint allows the Droplet to access data about itself. To do this, locate the original gateway IP address of the backend Droplet by running:

route -n

The Droplet returns its routing table.

    
        
            
Kernel IP routing table
Destination     Gateway              Genmask         Flags Metric Ref    Use Iface
0.0.0.0         {your_gateway_IP}    0.0.0.0         UG    0      0        0 eth0

        
    

The Droplet’s gateway IP address is located in the Gateway column. To create the necessary IP route, run the following command, replacing the <your-gateway-IP> value with the gateway IP address from the routing table:

ip route add 169.254.169.254 via {your-gateway-IP} dev eth0

The command line returns a blank prompt when executed. You can run route -n again to ensure that you entered the route correctly.

Next, add your new gateway Droplet’s IP route to the backend Droplet’s network configuration:

ip route change default via {private_IP_of_gateway_Droplet}

For example, if the private IP of the gateway Droplet is 10.20.30.2, the command would be: ip route change default via 10.20.30.2

To persist these changes and ensure that the Droplet boots with the new default route, edit the network configuration file on the Droplet. Before you do, we recommend making a backup make a copy of the default network configuration file.

To edit your network configuration file for Ubuntu 20.04 or 18.04, open /etc/netplan/50-cloud-init.yaml in a text editor.

To edit your network configuration file for Ubuntu 16.04, open /etc/network/interfaces.d/50-cloud-init.cfg in a text editor.

In Ubuntu 20.04 and 18.04, remove the gateway4: {IP_address} field from the eth0 interface and add the following route to the eth1 interface:

    
        
            
# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
  version: 2
  ethernets:
      eth0:
          addresses:
          - 138.197.170.8/20
          - 10.20.0.7/16
          gateway4: {ORIGINAL GATEWAY ADDRESS}
# Remove the `gateway4: {ORIGINAL GATEWAY ADDRESS}` from the file.
          match:
              macaddress: 5e:b9:00:5a:f1:db
          nameservers:
              addresses:
              - 67.207.67.2
              - 67.207.67.3
              search: []
          set-name: eth0
      eth1:
          addresses:
          - 10.1.0.5/20
          match:
              macaddress: f2:5a:24:82:32:b9
          nameservers:
              addresses:
              - 67.207.67.2
              - 67.207.67.3
              search: []
          routes:
          -   to: 0.0.0.0/0
              via: {PRIVATE IP ADDRESS OF YOUR GATEWAY DROPLET}
# Add these fields to the file.
          set-name: eth1

        
    

In Ubuntu 16.04, remove the gateway {IP_address} field from the eth0 interface and add your gateway’s private IP address to the eth1 interface configuration:

    
        
            
# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
auto lo
iface lo inet loopback
    dns-nameservers 67.207.67.2 67.207.67.3

auto eth0
iface eth0 inet static
    address 128.199.31.50/20
    gateway {original-gateway-IP}
# Delete the gateway line

# control-alias eth0
iface eth0 inet6 static
    address 2400:6180:0100:00D0:0000:0000:0A27:C001/64
    gateway 2400:6180:0100:00D0:0000:0000:0000:0001

# control-alias eth0
iface eth0 inet static
    address 10.47.0.11/16

auto eth1
iface eth1 inet static
    address 10.139.40.98/16
    gateway   {gateway-droplet-private-IP-address}
# Add a gateway line with your gateway Droplet's private IP address

        
    

Save the changes and exit the file. Then run the following command to apply the new network configuration:

netplan apply -debug

The -debug flag returns any YAML formatting errors in the configuration file. If formatted correctly, the command returns a blank prompt.

Configure Gateway Droplet

To configure your gateway Droplet, you need to configure its IP forwarding and the NAT settings.

Configure IP Forwarding

IP forwarding allows the Droplet to act as a router and forward packets to target Droplets within your VPC network.

To enable IP forwarding, connect to your Droplet and run:

sysctl -w net.ipv4.ip_forward=1

To persist these changes, open /etc/sysctl.conf in a text editor. Add the line net.ipv4.ip_forward=1 to the bottom of the file, then save it. Depending on your Linux distribution, this line may already exist in the file, commented out. In this case, uncomment it by deleting the # at the front of the line.

    
        
            
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

        
    

Configure NAT

Network address translation (NAT) converts the private IP addresses associated with your VPC network’s traffic to the IP address of your internet gateway, and vice versa. This allows the gateway to correctly route traffic between your VPC network and your on-premises network.

To configure your gateway’s NAT, install iptables:

sudo apt-get update
sudo apt-get install iptables

Using iptables, configure your Droplet to translate traffic from your VPC network’s subnet to the public IP of the Droplet using this command, replacing {vpc_network_prefix} with your VPC network’s private IP prefix and {public_interface_name} with your gateway’s public interface name:

iptables -t nat -A POSTROUTING -s {vpc_network_prefix} -o {public_interface_name} -j MASQUERADE

For example, if the VPC network’s prefix is 10.116.0.0/20 and the gateway’s public interface name is ens3, then the command would be iptables -t nat -A POSTROUTING -s 10.116.0.0/20 -o ens3 -j MASQUERADE.

To locate your VPC network’s prefix in the control panel, click Networking in the main menu, then select the VPC tab. From the list of VPC networks, locate the target network. The network’s prefix is listed beside the public name in the second column.

VPC network's name and prefix

Your Droplet’s public interface name can be found using the route command:

route -n | awk '$1 == "0.0.0.0" {print $8}'

To persist these changes so that the NAT rule is automatically enabled when the Droplet boots up, install iptables-persistent:

sudo apt-get install iptables-persistent

Upon successful installation, iptables-persistent asks if you want to save the current IPv4 rules. Select Yes.

To save future IPv4 rule changes, use the command iptables-save > /etc/iptables/rules.v4.

Configure Backend Droplets

You need to configure any Droplets accessing the internet via the gateway to accept traffic from the gateway.

First, log into the backend Droplet through the newly-created gateway. If you log into the backend Droplet using its public IP address, it will drop the SSH connection when you change the configuration. Execute this command from your local machine:

ssh -o ProxyCommand="ssh -W %h:%p [email protected]{public_IP_of_gateway_Droplet}" [email protected]{private_IP_of_backend_Droplet}

Once logged into the Droplet, add an IP route to your network configuration so the Droplet can retain access to its metadata endpoint (169.254.169.254). The metadata endpoint allows the Droplet to access data about itself. To do this, locate the original gateway IP address of the backend Droplet by running:

route -n

The Droplet returns its routing table.

    
        
            
Kernel IP routing table
Destination     Gateway              Genmask         Flags Metric Ref    Use Iface
0.0.0.0         {your_gateway_IP}    0.0.0.0         UG    0      0        0 eth0

        
    

The Droplet’s gateway IP address is located in the Gateway column. To create the necessary IP route, run the following command, replacing the {your-gateway-IP} value with the gateway IP address from the routing table:

ip route add 169.254.169.254 via {your-gateway-IP} dev eth0

The command line returns a blank prompt when executed. You can run route -n again to ensure that you entered the route correctly.

Next, add your new gateway Droplet’s IP route to the backend Droplet’s network configuration:

ip route change default via {private_IP_of_gateway_Droplet}

For example, if the private IP of the gateway Droplet is 10.20.30.2, the command would be: ip route change default via 10.20.30.2

To persist these changes and ensure that the Droplet boots with the new default route, edit the network configuration file on the Droplet. Before you do, we recommend making a backup make a copy of the default network configuration file.

To edit your network configuration file, open /etc/network/interfaces in a text editor.

Remove the gateway {IP_address} field from the eth0 interface and add your gateway’s private IP address to the eth1 configuration:

    
        
            
# Generated by the DigitalOcean provisioning process on 2020-09-25T22:03:50Z
# See 'man interfaces' on a Debian/Ubuntu systems.
# The network configuration was generated from http://169.254.169.254/metadata/v1.json.
# You may also find the it on the locally attached CDROM under 'digitalocean_meta_data.json'

auto lo
iface lo inet loopback
        dns-nameservers  67.207.67.2 67.207.67.3

auto eth0
iface eth0 inet static
        hwaddress 7a:19:7c:15:8d:77
        address   165.22.216.241
        netmask   255.255.240.0
        gateway   {original-gateway-IP-address}
# Delete the gateway line
        post-up ifup eth0:1

iface eth0 inet6 static
        hwaddress 7a:19:7c:15:8d:77
        address   2400:6180:0100:00D0:0000:0000:09F6:C001/64
        gateway   2400:6180:0100:00D0:0000:0000:0000:0001

auto eth0:1
iface eth0:1 inet static
        hwaddress 7a:19:7c:15:8d:77
        address   10.47.0.8/255.255.0.0

auto eth1
iface eth1 inet static
        hwaddress b6:cd:08:a6:b1:d6
        address   10.139.40.95
        netmask   255.255.0.0
        gateway   {gateway-droplet-private-IP-address}
# Add a gateway line with your gateway Droplet's private IP address

        
    

Save the changes and exit the file.

Configure Gateway Droplet

To configure your gateway Droplet, you need to configure its IP forwarding and the NAT settings.

Configure IP Forwarding

IP forwarding allows the Droplet to act as a router and forward packets to target Droplets within your VPC network.

To enable IP forwarding, connect to your Droplet and run:

sysctl -w net.ipv4.ip_forward=1

To persist these changes, create the file /etc/sysctl.d/10-ip-forwarding.conf in a text editor. Add the line net.ipv4.ip_forward=1 to the file, then save it.

    
        
            
net.ipv4.ip_forward=1

        
    

Configure NAT

Network Address Translation (NAT) converts the private IP addresses associated with your VPC network’s traffic to the IP address of your internet gateway, and vice versa. This allows the gateway to correctly route traffic between your VPC network and your on-premises network.

To configure your gateway’s NAT, install iptables:

yum install iptables

Using iptables, configure your Droplet to translate traffic from your VPC network’s subnet to the public IP of the Droplet:

iptables -t nat -A POSTROUTING -s {vpc_network_prefix} -o {gateway_public_interface_name} -j MASQUERADE

replacing {vpc_network_prefix} with your VPC network’s private IP prefix and {gateway_public_interface_name} with your VPC network’s public name.

For example, if the VPC network’s prefix is 10.116.0.0/20, and the public interface name is eth0 the command would be iptables -t nat -A POSTROUTING -s 10.116.0.0/20 -o eth0 -j MASQUERADE

To locate your VPC network’s prefix from the control panel, click Networking in the main menu, then select the VPC tab. From the list of VPC networks, locate the target network. The network’s prefix is listed beside the public name in the second column.

VPC network's name and prefix

To persist these changes so that the NAT rule is automatically enabled when the Droplet boots up, run:

iptables-save > /etc/sysconfig/iptables

Your new NAT configuration is saved.

To confirm that the configuration runs at startup, use the find command to view a list of services and files that run at startup:

find /etc -type f -atime -1

If /etc/sysconfig/iptables is in the list, the iptables configuration will run at startup.

Configure Backend Droplets

You need to configure any Droplets accessing the internet via the gateway to accept traffic from the gateway.

First, log into the backend Droplet through the newly-created gateway. If you log into the Droplet using its public IP address, it will drop the SSH connection when you change the configuration.

To log in to the backend Droplet through the newly created gateway, run the following command from your local machine:

ssh -o ProxyCommand="ssh -W %h:%p [email protected]<public_IP_of_gateway_Droplet>" [email protected]{private_IP_of_backend_Droplet}

Once logged into the Droplet, add an IP route to your network configuration so the Droplet can retain access to its metadata endpoint (169.254.169.254). The metadata endpoint allows the Droplet to access data about itself. To do this, locate the original gateway IP address of the backend Droplet by running:

route -n

The Droplet will return its routing table.

    
        
            
Kernel IP routing table
Destination     Gateway              Genmask         Flags Metric Ref    Use Iface
0.0.0.0         {your_gateway_IP}    0.0.0.0         UG    0      0        0 eth0

        
    

The Droplet’s gateway IP address is located in the Gateway column. To create the necessary IP route, run the following command, replacing the {your-gateway-IP} value with the gateway IP address from the routing table:

ip route add 169.254.169.254 via {your-gateway-IP} dev eth0

The command line returns a blank prompt when executed. You can run route -n again to ensure that you entered the route correctly.

Next, edit the backend Droplet’s network configurations. To do this, open the /etc/sysconfig/network-scripts/ifcfg-eth0 file in a text editor, then remove or comment out the default GATEWAY={default_gateway_IP_address} field:

    
        
            
# Created by cloud-init on instance boot automatically, do not edit.
#
BOOTPROTO=none
DEFROUTE=yes
DEVICE=eth0
GATEWAY=142.93.208.1
# Delete or comment out the `GATEWAY=default_gateway_IP_address` field.
HWADDR=2e:c1:31:1c:de:55
IPADDR=142.93.215.133
IPADDR1=10.47.0.6
IPV6ADDR=2400:6180:0100:00D0:0000:0000:00DB:5001/64
IPV6INIT=yes
IPV6_DEFAULTGW=2400:6180:0100:00D0:0000:0000:0000:0001
MTU=1500
NETMASK=255.255.240.0

        
    

Save the changes to the file.

Next, open the /etc/sysconfig/network-scripts/ifcfg-eth1 file in a text editor, then edit the following lines:

    
        
            
# Created by cloud-init on instance boot automatically, do not edit.
#
BOOTPROTO=none
DEVICE=eth1
HWADDR=06:ec:53:14:63:98
IPADDR=10.139.224.18
MTU=1500
NETMASK=255.255.0.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
GATEWAY=private_ip_address_of_gateway_droplet
DEFROUTE=yes

        
    

Save the changes to the file.

The backend Droplet now routes internet traffic through the gateway Droplet. You can verify this by using ping and ip route.

ping verifies that your Droplet can reach the internet. To ping a website, run:

ping google.com

The command returns results that look like this:

    
        
            
[email protected]:~# ping google.com
PING google.com (216.58.196.174) 56(84) bytes of data.
64 bytes from maa03s31-in-f14.1e100.net (216.58.196.174): icmp_seq=1 ttl=118 time=9.70 ms
64 bytes from maa03s31-in-f14.1e100.net (216.58.196.174): icmp_seq=2 ttl=118 time=8.38 ms

        
    

After you verify that the Droplet can reach the internet, use ip route to verify the network route the backend Droplet uses to reach an IP address on the internet. To use ip route, run:

ip route get 8.8.8.8

The command returns the network route the Droplet uses to reach the IP address, 8.8.8.8. The gateway’s private IP address is the second IP address in the returned route.

    
        
            
[email protected]:~# ip route get 8.8.8.8
8.8.8.8 via  {gateway-private-IP-address} dev eth1 src {backend-droplet-private-IP-address} uid 0