How to Configure Droplets for NAT Gatewaypublic
Validated on 28 Aug 2025 • Last edited on 28 Aug 2025
A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage. You can link VPC networks to each other using VPC peering connections.
After creating a VPC NAT gateway, you need to configure new IP routes for any backend Droplets that should use the gateway to access the internet. These routes direct internet traffic through the gateway. You can send all traffic through the gateway by replacing the default route, or send select traffic through the gateway by specifying an IP address or subnet.
Define Temporary Route Changes
The following configuration changes are temporary and revert after a reboot, but are useful when first setting up and testing routing through a NAT gateway. Read the Persistent Route Changes section to make permanent configuration changes.
This configuration redirects all of the backend Droplet’s internet traffic through the gateway. To prevent the SSH connection to the Droplet from disconnecting once you change the IP routes, you need to log in to the backend Droplet through a second “control Droplet” on the same VPC network, or use the Droplet console in the control panel.
To log in to the backend Droplet through a control Droplet, open a new terminal on your local machine and run the following ssh command with the ProxyCommand option, replacing the <public_IP_of_control_Droplet> and <private_IP_of_backend_Droplet> values with the applicable IP addresses. The ProxyCommand option tells ssh to connect to the control Droplet first, and then use that connection to connect to the backend Droplet:
ssh -o \
ProxyCommand="ssh -W %h:%p root@<public_IP_of_control_Droplet>" \
root@<private_IP_of_backend_Droplet>Once logged into the backend Droplet, you need to add an IP route to its network configuration that retains the Droplet’s access to its metadata endpoint (169.254.169.254). The metadata endpoint is a service provided by DigitalOcean that allows the Droplet to access data about itself, like its IP address, DNS name server settings, and network interface information.
To do this, locate the backend Droplet’s original gateway IP address by sending the following curl request to the metadata endpoint:
curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/gatewayThe command returns the backend Droplet’s current gateway address.
To create the necessary IP route, run the following command, replacing <your-gateway-IP> with the gateway IP address returned in the curl request:
ip route add 169.254.169.254 via <your-gateway-IP> dev eth0The command line returns a blank prompt when executed, which indicates that the metadata API route has been set.
Next, set a new default route.
First get your NAT gateway’s Routing table IP address (also known as its gateway IP) from its details page in the control panel. This is the IP we’ll set as the default route.
To navigate to the NAT gateway’s details page click Networking in the left menu, then click the VPC tab. Click on the VPC that contains the NAT gateway, then click its NAT Gateway tab. Click on the name of the NAT gateway to load its details.
You can also use doctl to print a list of your NAT gateways along with their names, regions, and the VPCs they’re attached to:
doctl compute vpc-nat-gateway list --format Name,Region,VPCsThe output is a table of information:
Name Region VPCs
example-gateway tor1 4cc3fca9-0d4e-4292-bb4c-3806dc943a5a:10.137.0.2Under the VPCs column is a list of VPC IDs. The NAT gateway’s gateway IP address for that VPC network is displayed after the : colon. In the example output above, the gateway IP address is 10.137.0.2.
Add this gateway IP as the default route to the backend Droplet’s network configuration:
ip route change default via <your-NAT-gateway-IP>The command does not print any output when successful.
If you’re routing select traffic through the gateway, and you’re connecting from an IP address that is not affected by the planned route changes, you can connect with SSH directly into the backend Droplet or use the Droplet console in the control panel.
First, get the NAT gateway’s “gateway IP”. This is the IP to route traffic through. Use doctl to print a list of your NAT gateways along with their names, regions, and the VPCs they’re attached to:
doctl compute vpc-nat-gateway list --format Name,Region,VPCsThe output is a table of information:
Name Region VPCs
example-gateway tor1 4cc3fca9-0d4e-4292-bb4c-3806dc943a5a:10.137.0.2Under the VPCs column is a list of VPC IDs. The NAT gateway’s gateway IP address for that VPC network is displayed after the : colon. In the example output above, the gateway IP address is 10.137.0.2.
Use the ip route command with the via option to add a route through your NAT gateway’s gateway IP address:
ip route add 203.0.113.0/20 via <your-NAT-gateway-IP>Replace 203.0.113.0/20 with the network prefix you’d like to route through the gateway, in CIDR notation, or with a single IPv4 address.
The command line returns a blank prompt when executed.
Your backend Droplet networking changes are complete. See Test Route Changes to test that the configuration is working correctly, then read Persistent Route Changes to configure routes that persist when you reboot your machine.
Test Route Changes
You can verify your backend Droplet networking changes using the ping and ip route commands.
ping verifies that your Droplet can reach the internet. To ping a website, run:
ping google.comThe command returns results that look like this:
root@backend:~# ping google.com
PING google.com (216.58.196.174) 56(84) bytes of data.
64 bytes from maa03s31-in-f14.1e100.net (216.58.196.174): icmp_seq=1 ttl=118 time=9.70 ms
64 bytes from maa03s31-in-f14.1e100.net (216.58.196.174): icmp_seq=2 ttl=118 time=8.38 msIf you are only routing select traffic through the NAT gateway, ping an IP address or hostname that matches your configuration.
After you verify that the Droplet can reach the internet, use ip route to verify the network route the backend Droplet uses to reach an IP address on the internet. To use ip route, run:
ip route get 8.8.8.8The command returns the network route the Droplet uses to reach the IP address, 8.8.8.8.
8.8.8.8 via <gateway-IP-address> dev eth1 src <backend-droplet-private-IP-address> uid 0If you’ve not updated the default route, make sure you’re testing an address that should be routed through the NAT gateway.
Persistent Route Changes
To persist IP route changes and ensure that the Droplet boots with the new route information, you need to update the Droplet’s network configuration files. This process is operating-system specific, but most popular Linux distributions use either Netplan or NetworkManager.
To persist route updates on a Netplan-based distribution, open and edit /etc/netplan/50-cloud-init.yaml in a text editor.
network:
version: 2
ethernets:
eth0:
addresses:
- 137.184.174.21/20
- 10.20.0.7/16
match:
macaddress: 86:bc:46:82:4d:95
mtu: 1500
nameservers:
addresses:
- 67.207.67.3
- 67.207.67.2
search: []
routes:
- to: 0.0.0.0/0
via: <original gateway address>
set-name: eth0
eth1:
addresses:
- 10.118.0.4/20
match:
macaddress: 5a:59:57:e0:f3:9d
mtu: 1500
nameservers:
addresses:
- 67.207.67.3
- 67.207.67.2
search: []
routes:
- to: 0.0.0.0/0
via: <gateway IP address of NAT gateway>
set-name: eth1If you are setting a new default route to route all traffic through the NAT gateway, first update the existing eth0 route to only route the metadata API:
routes:
- to: 169.254.169.254/32
via: <original gateway address>If you are only sending select traffic through the NAT gateway, do not change the existing eth0 default route.
Next create a new route under eth1 by updating the following lines:
routes:
- to: 0.0.0.0/0
via: <gateway IP address of NAT gateway>Replace <gateway IP address of NAT gateway> with the gateway IP address of your NAT gateway. If you’re replacing the default route, leave to: 0.0.0.0/0 as is, otherwise update it to a more specific network prefix in CIDR notation such as 203.0.113.0/20.
Save the changes and exit the file. Then run the following command to apply the new network configuration:
netplan apply -debugThe -debug flag returns any YAML formatting errors in the configuration file. If formatted correctly, the command returns a blank prompt.
To persist route updates on a NetworkManager-based distribution, update the eth0 and eth1 interfaces of the Droplet.
Start with editing the eth0 interface /etc/NetworkManager/system-connections/cloud-init-eth0.nmconnection. This is the configuration file for the Droplet’s public interface.
[connection]
id=cloud-init eth0
uuid=1dd9a779-d327-56e1-8454-c65e2556c12c
type=ethernet
[user]
org.freedesktop.NetworkManager.origin=cloud-init
[ethernet]
mtu=1500
mac-address=D6:4B:77:B4:C0:36
[ipv4]
method=manual
may-fail=false
address1=178.128.238.189/20
route1=0.0.0.0/0,<original gateway address>
address2=10.20.0.10/16If you are setting a new default route to route all traffic through the NAT gateway, update the existing default route to only route the metadata API:
route1=169.254.169.254/32,<original gateway address>Do not modify the original gateway address.
Save the changes to the file and close it. Next open and edit the eth1 private interface configuration file /etc/NetworkManager/system-connections/cloud-init-eth1.nmconnection
[connection]
id=cloud-init eth1
uuid=3c50eb47-7260-5a6d-801d-bd4f587d6b58
type=ethernet
[user]
org.freedesktop.NetworkManager.origin=cloud-init
[ethernet]
mtu=1500
mac-address=D6:84:01:8D:69:63
[ipv4]
method=manual
may-fail=false
address1=10.118.0.8/20
route1=0.0.0.0/0,<gateway IP address of NAT gateway>Update <gateway IP address of NAT gateway> to the gateway IP address of your NAT gateway. If you’re replacing the default route to route all traffic through the gateway, leave 0.0.0.0/0, otherwise update it to a more specific network prefix in CIDR notation such as 203.0.113.0/20.
Save the changes and exit the file.
Once you have configured your network interfaces and added the IP route, reboot the Droplet for the changes to take effect.