How to Update Routes to Enable VPC Peering Early Availability

A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage. You can link VPC networks to each other using VPC peering connections (currently in early access).


VPC peering (currently in early availability) joins two VPC networks with a secure, private connection.

Droplets on peered VPC networks need additional routing information to know how to send packets between networks. This information is automatically configured on Droplets created after 2 October 2024 using a standard base image if:

  • the Droplet was started or restarted while on a peered VPC.
  • the Droplet’s networking service was started or restarted while on a peered VPC network.

To activate a newly-created peering on an existing Droplet that was created after 2 October 2024, see the Restart Network Services section.

For Droplets created before 2 October 2024, or Droplets using custom base images, see the Manually Adding Routes section for how to configure routes for VPC peering.

Restart Network Services

To minimize the impact of new routes on customer Droplets, peering routes are only automatically added to Droplets created in a VPC network that is already peered with at least one other VPC network.

To activate a newly-created peering on an existing Droplet that was created after 2 October 2024, restart the Droplet’s networking service.

The command to restart the networking service depends on the networking stack used by the Droplet’s operating system. Here are some common examples:

Ubuntu, Arch, and the latest Debian releases use systemd-networkd to manage network configuration. Use systemctl to restart systemd-networkd:

sudo systemctl restart systemd-networkd

Fedora, CentOS, AlmaLinux, and Rocky Linux use NetworkManager to manage network configuration. Use systemctl to restart NetworkManager:

sudo systemctl restart NetworkManager

For Debian 11, the name of the networking service is networking. Use systemctl to restart it:

sudo systemctl restart networking

After restarting the networking service, read Verify Added Routes for details on how to check that the new configuration is working.

Add Routes Manually

On Droplets created before 2 October 2024, or Droplets using custom base images, VPC peering routes must be added manually.

Execute the following script in your Droplet console to add the necessary routes:

VPC_GATEWAY_IP=$(curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway)

ip route replace 10.0.0.0/8 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 172.16.0.0/12 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 192.168.0.0/16 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101

This script first queries the Droplet metadata service to get the IP address of its VPC gateway. It then adds three routes using the ip route command and the saved gateway IP address.

These three routes cover the entire RFC 1918 range and enable all current and future VPC peering connections. For advanced use cases, it is possible to limit the routes to only the subnets of the peered VPCs.

Permanently Add the Routes

The routes added in the previous section are lost when the Droplet or its networking stack is restarted. The steps needed to make the changes persistent depend on the particular network services used by your Linux distribution or your custom image. Some examples configurations follow.

You can configure Ubuntu and Debian 12 networking through systemd. First, log in to your Droplet and gather two pieces of information.

Get the Droplet’s private IP address and network mask in CIDR notation:

ip addr list eth1 | awk '/inet / {print $2}'

This prints out the information for eth1, the Droplet’s private ethernet interface, like this:

192.0.2.50/16

Save this full string.

Next, use curl to query the Droplet’s metadata service and retrieve the Droplet’s VPC gateway IP:

curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway

This returns a single IP address, like this:

192.0.2.1

Create a new file at /etc/systemd/network/10-eth1.network and paste in the following:

[Match]
Name=eth1

[Network]
Address=<your_eth1_ip_/_network>

[Route]
Destination=10.0.0.0/8
Gateway=<your_gateway_ip>
Metric=101

[Route]
Destination=172.16.0.0/12
Gateway=<your_gateway_ip>
Metric=101

[Route]
Destination=192.168.0.0/16
Gateway=<your_gateway_ip>
Metric=101

Replace <your_eth1_ip_/_network> with the full address and network range in CIDR notation, and <your_gateway_ip> (in all three places) with the gateway IP.

Save and close the file.

Restart the networking service to update the routes:

sudo systemctl restart systemd-networkd

For details on how to check that the new configuration works, see the Verify Added Routes section.

For distributions that use NetworkManager to manage network configuration, add a script to the /etc/NetworkManager/dispatcher.d/20-eth1-peering file.

Open the file and paste in the following bash script:

#!/usr/bin/env bash

interface=$1
event=$2

if [[ $interface != "eth1" ]] || [[ $event != "up" ]]
then
	exit 0
fi

VPC_GATEWAY_IP=$(curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway)

ip route replace 10.0.0.0/8 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 172.16.0.0/12 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 192.168.0.0/16 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101

Save and close the file, then mark it as executable:

chmod +x /etc/NetworkManager/dispatcher.d/20-eth1-peering

Restart NetworkManager to update the routes:

sudo systemctl restart NetworkManager

For details on how to check that the new configuration works, see the Verify Added Routes section.

Debian 11 uses ifupdown to handle network configuration. Scripts located in /etc/network/if-up.d/ are executed whenever a network interface starts.

Add the following to /etc/network/if-up.d/20-eth1-peering:

#!/bin/sh

[ "$IFACE" != "eth1" ] || exit 0
VPC_GATEWAY_IP=$(curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway)

ip route replace 10.0.0.0/8 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 172.16.0.0/12 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 192.168.0.0/16 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101

exit 0

Save and close the file, then mark it as executable:

chmod +x /etc/network/if-up.d/20-eth1-peering

VPC peering routes are now be set whenever the private eth1 interface comes up. Restart the networking service complete the update:

sudo systemctl restart networking

For details on how to check that the new configuration works, see the Verify Added Routes section.

Verify Added Routes

To verify the Droplet’s routes are updated, check its routing table. Run the following ip command to print the routing table:

ip route show

This produces output similar to the following, but with different via addresses:

10.0.0.0/8 via 192.60.2.6 dev eth1 metric 101 mtu 1500
172.16.0.0/12 via 192.60.2.6 dev eth1 metric 101 mtu 1500
192.168.0.0/16 via 192.60.2.6 dev eth1 metric 101 mtu 1500

You can further verify that the peering connection works by pinging the private IP addresses of Droplets in other VPC networks. Use ping followed by the other Droplet’s private IP address:

ping <private_ip_address>

Remove Manually Added Routes

After removing all VPC peering connections from a VPC network, you can remove the peering routes from your Droplets. For Droplets created after 2 October 2024, restart the Droplet or its networking service to remove the routes automatically.

To remove manually added routes on Droplets created before 2 October 2024, use ip route del:

ip route del 10.0.0.0/8 dev eth1 mtu 1500 metric 101
ip route del 172.16.0.0/12 dev eth1 mtu 1500 metric 101
ip route del 192.168.0.0/16 dev eth1 mtu 1500 metric 101

You can verify the routes have been removed by running ip route show.

If you added scripts or additional configuration to persistently add peering routes, you must remove them, then restart the Droplet or its networking service to remove the routes.

Disable Automatic Route Injection

To disable the automatic configuration of peering routes on Droplets created after 2 October 2024, deactivate the distribution-specific configuration script or service.

For Ubuntu or Debian 12 disable the vpc-peering.service service using systemctl:

sudo systemctl disable vpc-peering.service --now

To re-enable automatic route configuration, re-enable the service.

On Fedora, CentOS, AlmaLinux, and Rocky Linux, make the vpc-peering script not executable using chmod:

sudo chmod -x /etc/NetworkManager/dispatcher.d/vpc-peering

To re-enable automatic route configuration, make the script executable again with chmod +x.

For Debian 11, make the vpc-peering script not executable using chmod:

sudo chmod -x /etc/network/if-up.d/vpc-peering

To re-enable automatic route configuration, make the script executable again with chmod +x.

Disable Automatic Route Injection for the Entire Team

If you want to disable DigitalOcean’s route injection entirely to manage your own routes, contact support to disable it for all future Droplet creations. After this feature is disabled, reboot existing Droplets to remove automatically-configured routes.