A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage. You can link VPC networks to each other using VPC peering connections.
VPC peering joins two VPC networks with a secure, private connection.
Droplets on peered VPC networks need additional routing information to know how to send packets between networks. This information is automatically configured on Droplets created after 2 October 2024 using a standard base image if:
To activate a newly-created peering on an existing Droplet that was created after 2 October 2024, see the Restart Network Services section.
For Droplets created before 2 October 2024, or Droplets using custom base images, see the Manually Adding Routes section for how to configure routes for VPC peering.
To minimize the impact of new routes on customer Droplets, peering routes are only automatically added to Droplets created in a VPC network that is already peered with at least one other VPC network.
To activate a newly-created peering on an existing Droplet that was created after 2 October 2024, restart the Droplet’s networking service.
The command to restart the networking service depends on the networking stack used by the Droplet’s operating system. Here are some common examples:
Ubuntu, Arch, and the latest Debian releases use systemd-networkd
to manage network configuration. Use systemctl
to restart systemd-networkd
:
sudo systemctl restart systemd-networkd
Fedora, CentOS, AlmaLinux, and Rocky Linux use NetworkManager to manage network configuration. Use systemctl
to restart NetworkManager
:
sudo systemctl restart NetworkManager
For Debian 11, the name of the networking service is networking
. Use systemctl
to restart it:
sudo systemctl restart networking
After restarting the networking service, read Verify Added Routes for details on how to check that the new configuration is working.
On Droplets created before 2 October 2024, or Droplets using custom base images, VPC peering routes must be added manually.
Execute the following script in your Droplet console to add the necessary routes:
VPC_GATEWAY_IP=$(curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway)
ip route replace 10.0.0.0/8 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 172.16.0.0/12 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 192.168.0.0/16 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
This script first queries the Droplet metadata service to get the IP address of its VPC gateway. It then adds three routes using the ip route
command and the saved gateway IP address.
These three routes cover the entire RFC 1918 range and enable all current and future VPC peering connections. For advanced use cases, it is possible to limit the routes to only the subnets of the peered VPCs.
The routes added in the previous section are lost when the Droplet or its networking stack is restarted. The steps needed to make the changes persistent depend on the particular network services used by your Linux distribution or your custom image. Some examples configurations follow.
You can configure Ubuntu and Debian 12 networking through systemd
. First, log in to your Droplet and gather two pieces of information.
Get the Droplet’s private IP address and network mask in CIDR notation:
ip addr list eth1 | awk '/inet / {print $2}'
This prints out the information for eth1
, the Droplet’s private ethernet interface, like this:
192.0.2.50/16
Save this full string.
Next, use curl
to query the Droplet’s metadata service and retrieve the Droplet’s VPC gateway IP:
curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway
This returns a single IP address, like this:
192.0.2.1
Create a new file at /etc/systemd/network/10-eth1.network
and paste in the following:
[Match]
Name=eth1
[Network]
Address=<your_eth1_ip_/_network>
[Route]
Destination=10.0.0.0/8
Gateway=<your_gateway_ip>
Metric=101
[Route]
Destination=172.16.0.0/12
Gateway=<your_gateway_ip>
Metric=101
[Route]
Destination=192.168.0.0/16
Gateway=<your_gateway_ip>
Metric=101
Replace <your_eth1_ip_/_network>
with the full address and network range in CIDR notation, and <your_gateway_ip>
(in all three places) with the gateway IP.
Save and close the file.
Restart the networking service to update the routes:
sudo systemctl restart systemd-networkd
For details on how to check that the new configuration works, see the Verify Added Routes section.
For distributions that use NetworkManager to manage network configuration, add a script to the /etc/NetworkManager/dispatcher.d/20-eth1-peering
file.
Open the file and paste in the following bash script:
#!/usr/bin/env bash
interface=$1
event=$2
if [[ $interface != "eth1" ]] || [[ $event != "up" ]]
then
exit 0
fi
VPC_GATEWAY_IP=$(curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway)
ip route replace 10.0.0.0/8 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 172.16.0.0/12 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 192.168.0.0/16 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
Save and close the file, then mark it as executable:
chmod +x /etc/NetworkManager/dispatcher.d/20-eth1-peering
Restart NetworkManager to update the routes:
sudo systemctl restart NetworkManager
For details on how to check that the new configuration works, see the Verify Added Routes section.
Debian 11 uses ifupdown
to handle network configuration. Scripts located in /etc/network/if-up.d/
are executed whenever a network interface starts.
Add the following to /etc/network/if-up.d/20-eth1-peering
:
#!/bin/sh
[ "$IFACE" != "eth1" ] || exit 0
VPC_GATEWAY_IP=$(curl -s 169.254.169.254/metadata/v1/interfaces/private/0/ipv4/gateway)
ip route replace 10.0.0.0/8 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 172.16.0.0/12 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
ip route replace 192.168.0.0/16 via ${VPC_GATEWAY_IP} dev eth1 mtu 1500 metric 101
exit 0
Save and close the file, then mark it as executable:
chmod +x /etc/network/if-up.d/20-eth1-peering
VPC peering routes are now be set whenever the private eth1
interface comes up. Restart the networking service complete the update:
sudo systemctl restart networking
For details on how to check that the new configuration works, see the Verify Added Routes section.
To verify the Droplet’s routes are updated, check its routing table. Run the following ip
command to print the routing table:
ip route show
This produces output similar to the following, but with different via
addresses:
10.0.0.0/8 via 192.60.2.6 dev eth1 metric 101 mtu 1500
172.16.0.0/12 via 192.60.2.6 dev eth1 metric 101 mtu 1500
192.168.0.0/16 via 192.60.2.6 dev eth1 metric 101 mtu 1500
You can further verify that the peering connection works by pinging the private IP addresses of Droplets in other VPC networks. Use ping
followed by the other Droplet’s private IP address:
ping <private_ip_address>
After removing all VPC peering connections from a VPC network, you can remove the peering routes from your Droplets. For Droplets created after 2 October 2024, restart the Droplet or its networking service to remove the routes automatically.
To remove manually added routes on Droplets created before 2 October 2024, use ip route del
:
ip route del 10.0.0.0/8 dev eth1 mtu 1500 metric 101
ip route del 172.16.0.0/12 dev eth1 mtu 1500 metric 101
ip route del 192.168.0.0/16 dev eth1 mtu 1500 metric 101
You can verify the routes have been removed by running ip route show
.
If you added scripts or additional configuration to persistently add peering routes, you must remove them, then restart the Droplet or its networking service to remove the routes.
To disable the automatic configuration of peering routes on Droplets created after 2 October 2024, deactivate the distribution-specific configuration script or service.
For Ubuntu or Debian 12 disable the vpc-peering.service
service using systemctl
:
sudo systemctl disable vpc-peering.service --now
To re-enable automatic route configuration, re-enable the service.
On Fedora, CentOS, AlmaLinux, and Rocky Linux, make the vpc-peering
script not executable using chmod
:
sudo chmod -x /etc/NetworkManager/dispatcher.d/vpc-peering
To re-enable automatic route configuration, make the script executable again with chmod +x
.
For Debian 11, make the vpc-peering
script not executable using chmod
:
sudo chmod -x /etc/network/if-up.d/vpc-peering
To re-enable automatic route configuration, make the script executable again with chmod +x
.
If you want to disable DigitalOcean’s route injection entirely to manage your own routes, contact support to disable it for all future Droplet creations. After this feature is disabled, reboot existing Droplets to remove automatically-configured routes.