How to Configure a Droplet as a VPC Gateway

A Virtual Private Cloud (VPC) is a private network interface for collections of DigitalOcean resources. VPC networks are inaccessible from the public internet and other VPC networks, and traffic on them doesn’t count against bandwidth usage.


You can configure Droplets as internet gateways and reroute traffic from your other resources through the gateway. This allows you to isolate backend resources from the public internet while still allowing access from your gateway Droplet.

Network without Internet Gateway

flowchart LR subgraph Datacenter Region subgraph VPC 10.0.220.0/16 ServerA(SSDs icon Web Server) ServerB(SSDs icon Web Server) ServerC(SSDs icon Web Server) end end ServerA --> Internet(global-data-centers icon Internet) ServerB --> Internet ServerC --> Internet

Network with Internet Gateway

flowchart LR subgraph Datacenter Region subgraph VPC 10.0.220.0/16 ServerA(SSDs icon Web Server) --> InternetG(SSDs icon Internet Gateway) ServerB(SSDs icon Web Server) --> InternetG ServerC(SSDs icon Web Server) --> InternetG end end InternetG --> Internet(global-data-centers icon Internet)

This guide explains how to configure a Droplet as a gateway, set up routing between the gateway Droplet backend Droplets, and then isolate those backend Droplets from the public internet by disabling their public-facing network interfaces.

Warning
We recommend testing this configuration process before implementing it on Droplet critical to your infrastructure. Configuring internet gateways involves complicated networking changes that can impact your network connectivity if not done properly.

To begin configuring your Droplets, choose the OS your Droplets use:

Configure Gateway Droplet

To configure your gateway Droplet, you need to configure its IP forwarding and the NAT settings.

Configure IP Forwarding

IP forwarding allows the Droplet to act as a router and forward packets to target Droplets within your VPC network.

To enable IP forwarding, connect to your Droplet and run:

sysctl -w net.ipv4.ip_forward=1

To persist these changes, open /etc/sysctl.conf in a text editor:

nano /etc/sysctl.conf

Add the line net.ipv4.ip_forward=1 to the bottom of the file, then save it. Depending on your Linux distribution, this line may already exist in the file, commented out. In this case, uncomment it by deleting the # at the beginning of the line.

    
        
            
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

        
    

Configure NAT

Network address translation (NAT) converts the private IP addresses associated with your VPC network’s traffic to the IP address of your internet gateway, and vice versa. This allows the gateway to correctly route traffic between your backend resources and the public internet. You can configure the gateway Droplet to perform NAT using the native Linux utility, iptables.

Using the following iptables command, configure the gateway Droplet to translate traffic from your VPC network’s subnet to the public IP of the gateway Droplet, replacing <vpc_network_prefix> with your VPC network’s private IP prefix:

iptables -t nat -A POSTROUTING -s <vpc_network_prefix> -o eth0 -j MASQUERADE

To locate your VPC network’s prefix in the control panel, click Networking in the main menu, then select the VPC tab. From the list of VPC networks, locate the target network. The network’s prefix is listed beside the public name in the second column.

VPC network's name and prefix
Note

On DigitalOcean Droplets, the default name for the public network interface is eth0. If you have changed this, replace eth0 in the iptables command with the correct interface name.

You can find your Droplet’s public interface name with ip:

ip -br a

The -br flag returns only basic information about the Droplet’s network interfaces for better readability. The a argument returns all IP addresses associated with the Droplet’s network interfaces.

To persist these changes so that the NAT rule is automatically enabled when the Droplet boots up, install iptables-persistent:

sudo apt-get install iptables-persistent

Upon successful installation, iptables-persistent asks if you want to save the current IPv4 rules. Select Yes.

To save future IPv4 rule changes, use the command iptables-save > /etc/iptables/rules.v4.

Configure Backend Droplets

After configuring the gateway Droplet, you need to configure new IP routes for any backend Droplets that should use the gateway to access the internet. These routes direct traffic destined for the internet through the gateway Droplet.

Because you will be redirecting the backend Droplet’s internet traffic through the gateway Droplet, you need to log in to the backend Droplet from the gateway Droplet. Otherwise, the SSH connection drops once you change the IP routes.

To log in to the backend Droplet from the gateway Droplet, open a new terminal on your local machine and run the following ssh command with the ProxyCommand option, replacing the <public_IP_of_gateway_Droplet> and <private_IP_of_backend_Droplet> values with the applicable IP addresses. The ProxyCommand option tells SSH to connect to the gateway Droplet first, and then use that connection to connect to the backend Droplet:

ssh -o ProxyCommand="ssh -W %h:%p root@<public_IP_of_gateway_Droplet>" root@<private_IP_of_backend_Droplet>

Once logged into the backend Droplet, you need to add an IP route to its network configuration that retains the Droplet’s access to its metadata endpoint (169.254.169.254). The metadata endpoint is a service provided by DigitalOcean that allows the Droplet to access data about itself, such as its IP address, DNS name server settings, and network interface information.

To do this, locate the backend Droplet’s original gateway IP address by sending the following curl request to the metadata endpoint:

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/gateway

The command returns the backend Droplet’s current gateway address.

To create the necessary IP route, run the following command, replacing the <your-gateway-IP> value with the gateway IP address returned in the curl request:

ip route add 169.254.169.254 via <your-gateway-IP> dev eth0

The command line returns a blank prompt when executed.

Next, add your gateway Droplet’s IP as a route to the backend Droplet’s network configuration:

ip route change default via <private_IP_of_gateway_Droplet>

To persist these changes and ensure that the Droplet boots with the new default route, you need to remove the old gateway route and add the new gateway route to the Droplet’s network configuration file. Before you do, we recommend making a backup make a copy of the default network configuration file:

cp /etc/netplan/50-cloud-init.yaml /etc/netplan/50-cloud-init.yaml.backup

To edit your network configuration file, open /etc/netplan/50-cloud-init.yaml in a text editor:

nano /etc/netplan/50-cloud-init.yaml

Then remove the routes stanza containing the Droplet’s original gateway IP address from the eth0 interface and add the new route to the eth1 interface, as shown in the example below:

    
        
            
  GNU nano 6.2                                     /etc/netplan/50-cloud-init.yaml                                               
# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    version: 2
    ethernets:
        eth0:
            addresses:
            - 137.184.174.21/20
            - 10.20.0.7/16
            match:
                macaddress: 86:bc:46:82:4d:95
            mtu: 1500
            nameservers:
                addresses:
                - 67.207.67.3
                - 67.207.67.2
                search: []
            routes:
            -   to: 0.0.0.0/0
                via: <original gateway address>
# Remove this route from the file.                
            set-name: eth0
        eth1:
            addresses:
            - 10.118.0.4/20
            match:
                macaddress: 5a:59:57:e0:f3:9d
            mtu: 1500
            nameservers:
                addresses:
                - 67.207.67.3
                - 67.207.67.2
                search: []
            routes:
            -   to: 0.0.0.0/0
                via: <private IP address of gateway Droplet>
            set-name: eth1

        
    

Save the changes and exit the file. Then run the following command to apply the new network configuration:

netplan apply -debug

The -debug flag returns any YAML formatting errors in the configuration file. If formatted correctly, the command returns a blank prompt.

Configure Gateway Droplet

To configure your gateway Droplet, you need to configure its IP forwarding and the NAT settings.

Configure IP Forwarding

IP forwarding allows the Droplet to act as a router and forward packets to target Droplets within your VPC network.

To enable IP forwarding, connect to your Droplet and run:

sysctl -w net.ipv4.ip_forward=1

To persist these changes, create the following file in a text editor:

vi /etc/sysctl.d/10-ip-forwarding.conf

Then add the following line to the file, save the file and then close it.

    
        
            
net.ipv4.ip_forward=1

        
    

Configure NAT

Network address translation (NAT) converts the private IP addresses associated with your VPC network’s traffic to the IP address of your internet gateway, and vice versa. This allows the gateway to correctly route traffic between your backend resources and the public internet. You can configure the gateway Droplet to perform NAT using the native Linux utility, iptables.

To configure your gateway’s NAT, install iptables:

yum install iptables

Using iptables, configure the gateway Droplet to translate traffic from your VPC network’s subnet to the public IP of the gateway Droplet using the following command, replacing <vpc_network_prefix> with your VPC network’s private IP prefix:

iptables -t nat -A POSTROUTING -s <vpc_network_prefix> -o eth0 -j MASQUERADE

To locate your VPC network’s prefix from the control panel, click Networking in the main menu, then select the VPC tab. From the list of VPC networks, locate the target network. The network’s prefix is listed beside the public name in the second column.

VPC network's name and prefix
Note

On DigitalOcean Droplets, the default name for the public network interface is eth0. If you have changed this, replace eth0 in the iptables command with the correct interface name.

You can find your Droplet’s public interface name with ip:

ip -br a

The -br flag returns only basic information about the Droplet’s network interfaces for better readability. The a argument returns all IP addresses associated with the Droplet’s network interfaces.

To persist these changes so that the NAT rule is automatically enabled when the Droplet boots up, run:

iptables-save > /etc/sysconfig/iptables

iptables saves the NAT configuration.

To confirm that the configuration runs at startup, use the find command to view a list of services and files that run at startup:

find /etc -type f -atime -1

If /etc/sysconfig/iptables is in the list, the iptables configuration will run at startup.

Configure Backend Droplets

After configuring the gateway Droplet, any backend Droplets that you want to use the gateway to access the internet need to be configured with new IP routes. These routes direct traffic destined for the internet through the gateway Droplet.

Because you will be redirecting the backend Droplet’s internet traffic through the gateway Droplet, you need to log in to the backend Droplet from the gateway Droplet, otherwise the SSH connection drops once you change the IP routes.

To log in to the backend Droplet from the gateway Droplet, open a new terminal on your local machine and run the following ssh command with the ProxyCommand option, replacing the <public_IP_of_gateway_Droplet> and <private_IP_of_backend_Droplet> values with the applicable IP addresses. The ProxyCommand option tells SSH to connect to the gateway Droplet first, and then use that connection to connect to the backend Droplet:

ssh -o ProxyCommand="ssh -W %h:%p root@<public_IP_of_gateway_Droplet>" root@<private_IP_of_backend_Droplet>

Once logged into the Droplet, you need to add an IP route to your network configuration that retains the Droplet’s access to its metadata endpoint (169.254.169.254). The metadata endpoint is a service provided by DigitalOcean that allows the Droplet to access data about itself, such as its IP address, DNS name server settings, and network interface information.

To do this, locate the backend Droplet’s original gateway IP address by sending the following curl request to the metadata endpoint:

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/gateway

The command returns the backend Droplet’s current gateway address.

To create the necessary IP route, run the following command, replacing the <your-gateway-IP> value with the gateway IP address returned in the curl request:

ip route add 169.254.169.254 via <your-gateway-IP> dev eth0

The command line returns a blank prompt when executed.

Next, edit the Droplet’s network interface configurations to remove the old gateway route and to add the new one. To do this, first open the public interface (eth0) configuration in a text editor:

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Then remove or comment out the default GATEWAY=<default_gateway_IP_address> field:

    
        
            
# Created by cloud-init on instance boot automatically, do not edit.
#
BOOTPROTO=none
DEFROUTE=yes
DEVICE=eth0
GATEWAY=<default_gateway_IP_address>
# Delete or comment out the `GATEWAY=default_gateway_IP_address` field.
HWADDR=2e:c1:31:1c:de:55
IPADDR=142.93.215.133
IPADDR1=10.47.0.6
IPV6ADDR=2400:6180:0100:00D0:0000:0000:00DB:5001/64
IPV6INIT=yes
IPV6_DEFAULTGW=2400:6180:0100:00D0:0000:0000:0000:0001
MTU=1500
NETMASK=255.255.240.0

        
    
Note

vi opens files in a read-only mode by default. To edit a file in vi, switch to insert mode by pressing the i key.

Once you are done editing the file, press the Esc key to exit insert mode. Then type :wq and press Enter to save and quit the file.

Save the changes to the file and close it.

Next, open the private interface (eth1) configuration in a text editor::

vi /etc/sysconfig/network-scripts/ifcfg-eth1

Then add the following highlighted lines to the end of the file to set the new gateway route:

    
        
            
# Created by cloud-init on instance boot automatically, do not edit.
#
BOOTPROTO=none
DEVICE=eth1
HWADDR=06:ec:53:14:63:98
IPADDR=10.139.224.18
MTU=1500
NETMASK=255.255.0.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
GATEWAY=<private_ip_address_of_gateway_droplet>
DEFROUTE=yes

        
    

Save the changes to the file and then close it.

Once you have configured your network interfaces and added the IP route, reboot the Droplet for the changes to take effect:

sudo reboot

Once the Droplet has rebooted, log in to the Droplet again using the SSH ProxyCommand.

Configure Gateway Droplet

To configure your gateway Droplet, you need to configure its IP forwarding and the NAT settings.

Configure IP Forwarding

IP forwarding allows the Droplet to act as a router and forward packets to target Droplets within your VPC network.

To enable IP forwarding, connect to your Droplet and run:

sysctl -w net.ipv4.ip_forward=1

To persist these changes, create the following file in a text editor:

vi /etc/sysctl.d/10-ip-forwarding.conf

Then add the following line to the file, save the file and then close it.

    
        
            
net.ipv4.ip_forward=1

        
    

Configure NAT

Network address translation (NAT) converts the private IP addresses associated with your VPC network’s traffic to the IP address of your internet gateway, and vice versa. This allows the gateway to correctly route traffic between your backend resources and the public internet. You can configure the gateway Droplet to perform NAT using the native Linux utility, iptables.

To configure your gateway’s NAT, install iptables:

yum install iptables

Using iptables, configure the gateway Droplet to translate traffic from your VPC network’s subnet to the public IP of the gateway Droplet using the following command, replacing <vpc_network_prefix> with your VPC network’s private IP prefix:

iptables -t nat -A POSTROUTING -s <vpc_network_prefix> -o eth0 -j MASQUERADE

To locate your VPC network’s prefix from the control panel, click Networking in the main menu, then select the VPC tab. From the list of VPC networks, locate the target network. The network’s prefix is listed beside the public name in the second column.

VPC network's name and prefix
Note

On DigitalOcean Droplets, the default name for the public network interface is eth0. If you have changed this, replace eth0 in the iptables command with the correct interface name.

You can find your Droplet’s public interface name with ip:

ip -br a

The -br flag returns only basic information about the Droplet’s network interfaces for better readability. The a argument returns all IP addresses associated with the Droplet’s network interfaces.

To persist these changes so that the NAT rule is automatically enabled when the Droplet boots up, run:

iptables-save > /etc/sysconfig/iptables

iptables saves the NAT configuration.

To confirm that the configuration runs at startup, use the find command to view a list of services and files that run at startup:

find /etc -type f -atime -1

If /etc/sysconfig/iptables is in the list, the iptables configuration will run at startup.

Configure Backend Droplets

After configuring the gateway Droplet, any backend Droplets that you want to use the gateway to access the internet need to be configured with new IP routes. These routes direct traffic destined for the internet through the gateway Droplet.

Because you will be redirecting the backend Droplet’s internet traffic through the gateway Droplet, you need to log in to the backend Droplet from the gateway Droplet, otherwise the SSH connection drops once you change the IP routes.

To log in to the backend Droplet from the gateway Droplet, open a new terminal on your local machine and run the following ssh command with the ProxyCommand option, replacing the <public_IP_of_gateway_Droplet> and <private_IP_of_backend_Droplet> values with the applicable IP addresses. The ProxyCommand option tells SSH to connect to the gateway Droplet first, and then use that connection to connect to the backend Droplet:

ssh -o ProxyCommand="ssh -W %h:%p root@<public_IP_of_gateway_Droplet>" root@<private_IP_of_backend_Droplet>

Once logged into the Droplet, you need to add an IP route to your network configuration that retains the Droplet’s access to its metadata endpoint (169.254.169.254). The metadata endpoint is a service provided by DigitalOcean that allows the Droplet to access data about itself, such as its IP address, DNS name server settings, and network interface information.

To do this, locate the backend Droplet’s original gateway IP address by sending the following curl request to the metadata endpoint:

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/gateway

The command returns the backend Droplet’s current gateway address.

To create the necessary IP route, run the following command, replacing the <your-gateway-IP> value with the gateway IP address returned in the curl request:

ip route add 169.254.169.254 via <your-gateway-IP> dev eth0

The command line returns a blank prompt when executed.

Next, edit the Droplet’s network interface configurations to remove the old gateway route and to add the new one. To do this, first open the public interface (eth0) configuration in a text editor:

vi /etc/NetworkManager/system-connections/cloud-init-eth0.nmconnection

Then remove or comment out the default route1=0.0.0.0/0,<default_gateway_IP_address> field:

    
        
            
# Generated by cloud-init. Changes will be lost.

[connection]
id=cloud-init eth0
uuid=1dd9a779-d327-56e1-8454-c65e2556c12c
type=ethernet

[user]
org.freedesktop.NetworkManager.origin=cloud-init

[ethernet]
mtu=1500
mac-address=D6:4B:77:B4:C0:36

[ipv4]
method=manual
may-fail=false
address1=178.128.238.189/20
route1=0.0.0.0/0,178.128.224.1
# Delete or comment out this route from the file.
address2=10.20.0.10/16

        
    
Note

vi opens files in a read-only mode by default. To edit a file in vi, switch to insert mode by pressing the i key.

Once you are done editing the file, press the Esc key to exit insert mode. Then type :wq and press Enter to save and quit the file.

Save the changes to the file and close it.

Next, open the private interface (eth1) configuration in a text editor::

vi /etc/NetworkManager/system-connections/cloud-init-eth1.nmconnection

Then add the following highlighted line to the end of the file to set the new gateway route:

    
        
            
# Generated by cloud-init. Changes will be lost.

[connection]
id=cloud-init eth1
uuid=3c50eb47-7260-5a6d-801d-bd4f587d6b58
type=ethernet

[user]
org.freedesktop.NetworkManager.origin=cloud-init

[ethernet]
mtu=1500
mac-address=D6:84:01:8D:69:63

[ipv4]
method=manual
may-fail=false
address1=10.118.0.8/20
route1=0.0.0.0/0,<private IP address of your gateway Droplet>

        
    

Save the changes to the file and then exit the editor.

Once you have configured your network interfaces and added the IP route, reboot the Droplet for the changes to take effect:

sudo reboot

Once the Droplet has rebooted, log in to the Droplet again using the SSH ProxyCommand.

The backend Droplet now routes internet traffic through the gateway Droplet. You can verify this by using ping and ip route.

ping verifies that your Droplet can reach the internet. To ping a website, run:

ping google.com

The command returns results that look like this:

root@backend:~# ping google.com
PING google.com (216.58.196.174) 56(84) bytes of data.
64 bytes from maa03s31-in-f14.1e100.net (216.58.196.174): icmp_seq=1 ttl=118 time=9.70 ms
64 bytes from maa03s31-in-f14.1e100.net (216.58.196.174): icmp_seq=2 ttl=118 time=8.38 ms

After you verify that the Droplet can reach the internet, use ip route to verify the network route the backend Droplet uses to reach an IP address on the internet. To use ip route, run:

ip route get 8.8.8.8

The command returns the network route the Droplet uses to reach the IP address, 8.8.8.8. The gateway’s private IP address is the second IP address in the returned route.

root@backend:~# ip route get 8.8.8.8
8.8.8.8 via  <gateway-private-IP-address> dev eth1 src <backend-droplet-private-IP-address> uid 0

Additionally, you can verify that the backend Droplet is inaccessible via the public internet by attempting to SSH into it.