Private Droplet Setup
Written by Anish Singh Walia, Technical Content Strategist Learn what it means for software, security, and business technology teams.
- Security
- Networking
- Private-droplet
- Droplets
- Devops Tutorials
- Private
- Droplet
- Setup
By Global Outreach
- Blog Posts
- Documentation
- Career Opportunities
- Support
- Sales Contact
- Cloud Products
- Compute Services
- Container Management
- Database Solutions
- Development Tools
- Login Options
- Community Access
- DigitalOcean Account
- Signup Options
- Community Access
- DigitalOcean Account
- Login Options
- Community Access
- DigitalOcean Account
- Signup Options
- Community Access
- DigitalOcean Account
- Tutorial Guides
- FAQs
- Product Documentation
- Search Community Forum
Tutorial Outline
Written by Anish Singh Walia, Technical Content Strategist
Technical Content Strategist and Team Lead
A private droplet is a cloud instance with no public network interface, accessible only through a bastion host, and secured with cloud firewalls
This tutorial covers the setup of a private droplet and bastion host from scratch
After completing the setup, follow the steps to connect to the private droplet
Understanding Private Droplets
A private droplet has a private network interface and no public IPv4 address, unlike traditional droplets with public and private interfaces
- No public ingress without a load balancer
- No outbound internet access without a NAT gateway
- Uses local DNS resolver
- Cannot be converted to or from a traditional droplet
Private droplets are designed for internal use, with no supported path to attach a public IP address
A diagram illustrates the private droplet access path for clarity
Private Droplet Architecture
The architecture consists of a private compute tier with controlled edges, including a bastion for SSH access, a NAT gateway for outbound traffic, and a load balancer for client ingress
Use Cases for Private Droplets
Private droplets are suitable for back-end tiers, multi-tier architectures, and workloads with strict network isolation requirements
- Internal APIs and services
- Multi-tier architectures with private back-end tiers
- Workloads with strict network isolation requirements
Private droplets may not be the best choice for simple public-facing servers or workloads with constant outbound access
- Public-facing servers
- Workloads with constant outbound access
- Quick experiments or demos
Consider the consequences of using private droplets, including no direct SSH access and no outbound internet access by default
- No direct SSH access
- No outbound internet access by default
- Permanent networking type
- No cost premium but added operational complexity
- DigitalOcean account and personal access token
- SSH key added to account
- VPC in target region
- doctl installed and authenticated
Step 1: Create the Private Droplet
Create a private droplet by disabling public networking at creation time, which is a permanent setting
Use doctl to create the private droplet in the chosen VPC
doctl compute droplet create private-app-01 \ --region sfo3 \ --size s-1vcpu-1gb \ --image ubuntu-24-04-x64 \ --vpc-uuid < your-vpc-uuid > \ --ssh-keys < your-ssh-key-fingerprint > \ --enable-public-networking = falseThe --enable-public-networking=false flag makes the droplet private
Record the droplet ID and VPC IP address for later use
- Droplet ID
- VPC IP address
The private droplet can also be created using the control panel
The private droplet will be created in the same VPC and region as selected
Next, create the bastion host
Step 2: Create the Bastion Host
The bastion host is a standard droplet with a public IP, located in the same VPC and region as the private droplet
Create the bastion host using the control panel
Note the bastion's public IP and droplet ID
Use doctl to create the bastion host, specifying the region, size, image, VPC, and SSH key
Step 3: Add a Cloud Firewall to the Bastion
Cloud firewalls deny all traffic by default and are stateful, allowing return traffic for allowed connections
For the bastion, allow inbound SSH traffic from your own IP address
Create a cloud firewall for the bastion using the control panel
Enter your own public IP address to allow SSH access to the bastion
Use a command to find your public IP address if needed
curl ifconfig.meUse doctl to create the cloud firewall for the bastion
doctl compute firewall create \ --name "bastion-ssh" \ --inbound-rules "protocol:tcp,ports:22,address:<your-ip>/32" \ --outbound-rules "protocol:tcp,ports:all,address:0.0.0.0/0 protocol:udp,ports:all,address:0.0.0.0/0 protocol:icmp,address:0.0.0.0/0" \ --droplet-ids < bastion-droplet-id >Step 4: Add a Cloud Firewall to the Private Droplet
For the private droplet, allow inbound SSH traffic from the bastion
Create a cloud firewall for the private droplet using the control panel
Step 5: Connect to the Private Droplet
Both droplets are now set up, and the firewalls allow a single path: your machine to the bastion, and the bastion to the private droplet
Follow the steps to connect to the private droplet using the bastion host
Use ssh -J to hop through the bastion to the private droplet's VPC IP
ssh -J < bastion-user > @ < bastion-public-ip > < private-user > @ < private-vpc-ip >Find the private droplet's VPC IP in the control panel under networking
You have successfully set up a private droplet and bastion host with cloud firewalls
Quick Verification Checklist
Verify the following settings
- Both droplets are in the same VPC
- The bastion firewall allows SSH from your IP
- The private droplet firewall allows SSH from the bastion
- Each firewall is applied to the correct droplet
Additional Notes and Limitations
- NAT gateway is needed for outbound internet access
- Cloud firewalls are stateful and separate from on-droplet firewalls
Further Reading and Resources
- Connecting to a private droplet
- Private droplet overview and limitations
- Cloud firewall configuration
- VPC best practices
Learn more about our products and services
About the Author
Anish Singh Walia is a Technical Content Strategist and Team Lead
This is a sample text area
You can search for tutorials and documentation using the !ref command
Featured Tutorials and Guides
- All tutorials
- All topic tags
Please complete your information
- Table of contents
- What is a private droplet
- Private droplet architecture
- When to use a private droplet
- Prerequisites
- Ubuntu tutorials
- Linux basics
- JavaScript tutorials
- Python tutorials
Get paid to write technical tutorials and support a charity
DigitalOcean Documentation and Resources
Full documentation for all DigitalOcean products and services
Resources for Startups and AI-Native Businesses
The Wave provides resources and information for building a business
The Developer Cloud
Scale your applications and services with our cloud platform
Start Building Today
Get started with our cloud platform and services
- About us
- Leadership team
- Blog
- Careers
- Customers
- GPU droplets
- Bare metal GPUs
- Inference engine
- Data and learning
- Community tutorials
- Community Q&A
- CSS-Tricks
- Currents research
- AI training GPU
- GPU inference
- VPS hosting
- Website hosting
- Support
- Sales
- Report abuse
- System status
- About us
- Leadership team
- Blog
- Careers
- Customers
- GPU droplets
- Bare metal GPUs
- Inference engine
- Data and learning
- Community tutorials
- Community Q&A
- CSS-Tricks
- Currents research
- AI training GPU
- GPU inference
- VPS hosting
- Website hosting
- Support
- Sales
- Report abuse
- System status
Want help putting this into practice?
Global Outreach builds ERP, VoIP, and custom software for businesses in Pakistan.
Start a conversation