Global Outreach Solutions company logo — ERP, VoIP, and custom software development in PakistanGlobal Outreach
DevOps Tutorials·5 min read

Private Droplet Setup

Written by Anish Singh Walia, Technical Content Strategist Learn what it means for software, security, and business technology teams.

  • Security
  • Networking
  • Private-droplet
  • Droplets
  • Devops Tutorials
  • Private
  • Droplet
  • Setup

By Global Outreach

Illustrated cover image for the DevOps Tutorials article "Private Droplet Setup" on Global Outreach Solutions blog
  • Blog Posts
  • Documentation
  • Career Opportunities
  • Support
  • Sales Contact
  • Cloud Products
  • Compute Services
  • Container Management
  • Database Solutions
  • Development Tools
  • Login Options
  • Community Access
  • DigitalOcean Account
  • Signup Options
  • Community Access
  • DigitalOcean Account
  • Login Options
  • Community Access
  • DigitalOcean Account
  • Signup Options
  • Community Access
  • DigitalOcean Account
  • Tutorial Guides
  • FAQs
  • Product Documentation
  • Search Community Forum

Tutorial Outline

Written by Anish Singh Walia, Technical Content Strategist

Technical Content Strategist and Team Lead

A private droplet is a cloud instance with no public network interface, accessible only through a bastion host, and secured with cloud firewalls

This tutorial covers the setup of a private droplet and bastion host from scratch

After completing the setup, follow the steps to connect to the private droplet

Understanding Private Droplets

A private droplet has a private network interface and no public IPv4 address, unlike traditional droplets with public and private interfaces

  • No public ingress without a load balancer
  • No outbound internet access without a NAT gateway
  • Uses local DNS resolver
  • Cannot be converted to or from a traditional droplet

Private droplets are designed for internal use, with no supported path to attach a public IP address

A diagram illustrates the private droplet access path for clarity

Private Droplet Architecture

The architecture consists of a private compute tier with controlled edges, including a bastion for SSH access, a NAT gateway for outbound traffic, and a load balancer for client ingress

Use Cases for Private Droplets

Private droplets are suitable for back-end tiers, multi-tier architectures, and workloads with strict network isolation requirements

  • Internal APIs and services
  • Multi-tier architectures with private back-end tiers
  • Workloads with strict network isolation requirements

Private droplets may not be the best choice for simple public-facing servers or workloads with constant outbound access

  • Public-facing servers
  • Workloads with constant outbound access
  • Quick experiments or demos

Consider the consequences of using private droplets, including no direct SSH access and no outbound internet access by default

  • No direct SSH access
  • No outbound internet access by default
  • Permanent networking type
  • No cost premium but added operational complexity
  • DigitalOcean account and personal access token
  • SSH key added to account
  • VPC in target region
  • doctl installed and authenticated

Step 1: Create the Private Droplet

Create a private droplet by disabling public networking at creation time, which is a permanent setting

Use doctl to create the private droplet in the chosen VPC

doctl compute droplet create private-app-01 \ --region sfo3 \ --size s-1vcpu-1gb \ --image ubuntu-24-04-x64 \ --vpc-uuid < your-vpc-uuid > \ --ssh-keys < your-ssh-key-fingerprint > \ --enable-public-networking = false

The --enable-public-networking=false flag makes the droplet private

Record the droplet ID and VPC IP address for later use

  • Droplet ID
  • VPC IP address

The private droplet can also be created using the control panel

The private droplet will be created in the same VPC and region as selected

Next, create the bastion host

Step 2: Create the Bastion Host

The bastion host is a standard droplet with a public IP, located in the same VPC and region as the private droplet

Create the bastion host using the control panel

Note the bastion's public IP and droplet ID

Use doctl to create the bastion host, specifying the region, size, image, VPC, and SSH key

Step 3: Add a Cloud Firewall to the Bastion

Cloud firewalls deny all traffic by default and are stateful, allowing return traffic for allowed connections

For the bastion, allow inbound SSH traffic from your own IP address

Create a cloud firewall for the bastion using the control panel

Enter your own public IP address to allow SSH access to the bastion

Use a command to find your public IP address if needed

curl ifconfig.me

Use doctl to create the cloud firewall for the bastion

doctl compute firewall create \ --name "bastion-ssh" \ --inbound-rules "protocol:tcp,ports:22,address:<your-ip>/32" \ --outbound-rules "protocol:tcp,ports:all,address:0.0.0.0/0 protocol:udp,ports:all,address:0.0.0.0/0 protocol:icmp,address:0.0.0.0/0" \ --droplet-ids < bastion-droplet-id >

Step 4: Add a Cloud Firewall to the Private Droplet

For the private droplet, allow inbound SSH traffic from the bastion

Create a cloud firewall for the private droplet using the control panel

Step 5: Connect to the Private Droplet

Both droplets are now set up, and the firewalls allow a single path: your machine to the bastion, and the bastion to the private droplet

Follow the steps to connect to the private droplet using the bastion host

Use ssh -J to hop through the bastion to the private droplet's VPC IP

ssh -J < bastion-user > @ < bastion-public-ip > < private-user > @ < private-vpc-ip >

Find the private droplet's VPC IP in the control panel under networking

You have successfully set up a private droplet and bastion host with cloud firewalls

Quick Verification Checklist

Verify the following settings

  • Both droplets are in the same VPC
  • The bastion firewall allows SSH from your IP
  • The private droplet firewall allows SSH from the bastion
  • Each firewall is applied to the correct droplet

Additional Notes and Limitations

  • NAT gateway is needed for outbound internet access
  • Cloud firewalls are stateful and separate from on-droplet firewalls

Further Reading and Resources

  • Connecting to a private droplet
  • Private droplet overview and limitations
  • Cloud firewall configuration
  • VPC best practices

Learn more about our products and services

About the Author

Anish Singh Walia is a Technical Content Strategist and Team Lead

This is a sample text area

You can search for tutorials and documentation using the !ref command

Featured Tutorials and Guides

  • All tutorials
  • All topic tags

Please complete your information

  • Table of contents
  • What is a private droplet
  • Private droplet architecture
  • When to use a private droplet
  • Prerequisites
  • Ubuntu tutorials
  • Linux basics
  • JavaScript tutorials
  • Python tutorials

Get paid to write technical tutorials and support a charity

DigitalOcean Documentation and Resources

Full documentation for all DigitalOcean products and services

Resources for Startups and AI-Native Businesses

The Wave provides resources and information for building a business

The Developer Cloud

Scale your applications and services with our cloud platform

Start Building Today

Get started with our cloud platform and services

  • About us
  • Leadership team
  • Blog
  • Careers
  • Customers
  • GPU droplets
  • Bare metal GPUs
  • Inference engine
  • Data and learning
  • Community tutorials
  • Community Q&A
  • CSS-Tricks
  • Currents research
  • AI training GPU
  • GPU inference
  • VPS hosting
  • Website hosting
  • Support
  • Sales
  • Report abuse
  • System status
  • About us
  • Leadership team
  • Blog
  • Careers
  • Customers
  • GPU droplets
  • Bare metal GPUs
  • Inference engine
  • Data and learning
  • Community tutorials
  • Community Q&A
  • CSS-Tricks
  • Currents research
  • AI training GPU
  • GPU inference
  • VPS hosting
  • Website hosting
  • Support
  • Sales
  • Report abuse
  • System status

Want help putting this into practice?

Global Outreach builds ERP, VoIP, and custom software for businesses in Pakistan.

Start a conversation

Related articles

← All posts