A Private Droplet has nary nationalist web interface, truthful you can’t SSH to it directly. The modular measurement successful is simply a bastion host (jump host): a mini Droplet pinch a nationalist IP, successful the aforesaid VPC, that you link through. To support that way tight, you put a Cloud Firewall connected each Droplet, 1 that only lets you scope the bastion, and 1 that only lets the bastion scope the Private Droplet.
This tutorial walks done each 4 pieces from scratch:
- Create the Private Droplet.
- Create the bastion big successful the aforesaid VPC.
- Configure a Cloud Firewall connected the bastion (SSH from your IP only).
- Configure a Cloud Firewall connected the Private Droplet (SSH from the bastion only).
Once that’s done, you link utilizing the steps successful How to Connect to a Private Droplet.
What a Private Droplet really is
A Private Droplet has a azygous backstage web interface (eth0) and nary nationalist IPv4. A accepted Droplet has 2 interfaces, nationalist eth0 and backstage eth1. The quality is structural, not a mounting you toggle aft the fact:
- No nationalist ingress isolated from done a load balancer that fronts the VPC.
- No outbound net entree unless the VPC routes it done a NAT gateway.
- Uses the VPC section DNS resolver.
- Cannot beryllium converted from aliases to a accepted Droplet, the backstage position is fixed astatine creation. To “convert,” you snapshot and recreate.
- No value premium: a Private Droplet costs the aforesaid arsenic a modular Droplet of the aforesaid size.
The creation rule to internalize is that private stays private. There is nary supported way to connect a nationalist IP, Reserved IP, aliases BYOIP reside later. That permanence is the feature. It makes the isolation declare defensible to an auditor.
Here is simply a sketch of the Private Droplet entree way for easiness of understanding:

Private Droplet’s Architecture
The shape is simply a backstage compute tier pinch 3 controlled edges: a bastion for quality SSH access, a NAT gateway for outbound package/image pulls, and a load balancer for customer ingress. The exemplary server itself touches nary of the nationalist net directly.

When to usage a Private Droplet
A Private Droplet’s defining spot is that it has nary nationalist web interface, it cannot beryllium reached from the net directly, and location is nary supported measurement to adhd a nationalist IP to it later. That isolation is the logic to take one, and besides the root of each tradeoff below.
Good fits:
- Back-end tiers that should ne'er beryllium public — databases, soul APIs, exemplary servers, and different services that only request to beryllium reached by different resources wrong your VPC.
- Multi-tier architectures wherever only a front-end tier (behind a load balancer) is exposed, and everything down it stays private.
- Workloads pinch strict network-isolation requirements — for example, teams moving toward HIPAA, SOC 2, aliases PCI obligations, wherever the request is “this strategy has nary nationalist IP,” not “this strategy has a nationalist IP that we firewall off.” A structural guarantee is easier to grounds successful an audit than a norm that could beryllium changed. (Confirm immoderate circumstantial compliance wording pinch your ain compliance squad — the absence of a nationalist interface is simply a web fact, not a certification.)
When a Private Droplet is the incorrect tool:
- A elemental public-facing server. If a work needs to judge postulation from the net directly, a modular Droplet pinch a Cloud Firewall is simpler and does the job.
- Workloads that request constant, unpredictable outbound access. Private Droplets scope the net only done a NAT gateway, which adds costs and a moving part. If a container needs wide egress each the time, measurement whether the isolation is worthy it.
- Quick experiments aliases demos, wherever the operational overhead of a bastion and NAT gateway isn’t justified.
Consequences to scheme for:
- No nonstop SSH. You scope a Private Droplet only done a bastion host, which is precisely what this tutorial sets up. There is besides nary web-based Droplet console way that bypasses this; scheme your entree exemplary earlier you request it.
- No outbound net by default. Package updates, instrumentality pulls, and downloads require a VPC NAT gateway group arsenic the VPC’s default route. (A NAT gateway provides outbound only — it does not judge inbound connections, truthful it cannot switch the bastion.)
- The networking type is permanent. A Private Droplet cannot beryllium converted to a nationalist Droplet, and an existing Droplet cannot beryllium converted to private. To alteration the type, snapshot the workload and recreate it.
- No costs premium, but added operational pieces. A Private Droplet costs the aforesaid arsenic a modular Droplet of the aforesaid size. The existent costs is operational: you return connected a bastion big and, if you request egress, a NAT gateway.
- Some integrations differ. As of the existent docs, Private Droplets can’t beryllium created from the Control Panel, civilization images aren’t supported, and DOKS worker nodes aren’t Private Droplets. Check the Private Droplets documentation for the existent database earlier you creation astir them.
Prerequisites
- A DigitalOcean relationship and a personal entree token.
- An SSH cardinal added to your relationship (you’ll reference it by fingerprint). The aforesaid cardinal should beryllium installed connected some Droplets. See How to Add SSH Keys to Droplets.
- A VPC successful your target region (the region’s default VPC is fine). Note its sanction and region.
- doctl installed and authenticated (doctl auth init). Upgrade doctl if --enable-public-networking is missing from doctl compute droplet create --help.
- Your ain existent nationalist IP address, for locking down SSH to the bastion. You tin find it by visiting immoderate “what is my IP” service.
Step 1 — Create the Private Droplet
A Private Droplet is created by turning nationalist networking off astatine creation time. This is permanent, you can’t adhd nationalist networking later, and you can’t person an existing Droplet into a Private Droplet.
Create it pinch doctl, placing it successful your chosen VPC:
doctl compute droplet create private-app-01 \ --region sfo3 \ --size s-1vcpu-1gb \ --image ubuntu-24-04-x64 \ --vpc-uuid <your-vpc-uuid> \ --ssh-keys <your-ssh-key-fingerprint> \ --enable-public-networking=falseThe --enable-public-networking=false emblem is what makes the Droplet backstage (equivalent to "public_networking": mendacious successful the API).
After it’s created, grounds 2 values you’ll request later:
- The Droplet ID — tally doctl compute droplet database --format ID,Name,PublicIPv4,PrivateIPv4.
- The VPC IP address — shown successful the Control Panel nether Connection Details, aliases retrievable from the bastion later via the metadata way interfaces/private/0/ipv4/address. (A Private Droplet has only a VPC IP, nary nationalist IP.)
You tin besides create the Private Droplet utilizing the Control Panel.
- Go to Droplets > Create Droplet.
- Choose the region you want to create the Private Droplet in.
- Pick the size you want to create the Private Droplet in.
- In the Networking section, simply uncheck the Public IPv4 address checkbox.
This will create a Private Droplet successful the aforesaid VPC and region arsenic the 1 you selected.

Next, you will create the bastion host.
Step 2 — Create the bastion host
The bastion is an mean Droplet pinch a nationalist IP. The only difficult request is that it sits successful the same VPC and region arsenic the Private Droplet, truthful it tin scope it complete the backstage network.
Using the Control Panel:
- Click Create > Droplets.
- Choose the same region arsenic your Private Droplet.
- Pick a mini size (for example, the smallest shared-CPU plan, a bastion does nary existent work).
- Under VPC Network, prime the same VPC arsenic your Private Droplet. This is the captious setting; if the bastion is successful a different VPC, it won’t beryllium capable to scope the Private Droplet.
- Under Authentication, prime the same SSH key you utilized for the Private Droplet (or different cardinal you spot for bastion access).
- Name it thing recognizable, specified arsenic bastion-Host1, and click Create Droplet.

When it finishes, statement the bastion’s public IP and its Droplet ID (visible successful the Droplet list).
doctl equivalent: doctl compute droplet create bastion-01 --region sfo3 --size s-1vcpu-1gb --image ubuntu-24-04-x64 --vpc-uuid <same-vpc-uuid> --ssh-keys <your-ssh-key-fingerprint> — statement there’s nary --enable-public-networking=false here, because the bastion needs its nationalist IP.
Step 3 — Add a Cloud Firewall to the bastion
DigitalOcean Cloud Firewalls contradict everything that isn’t explicitly allowed: if location are nary inbound rules, nary inbound postulation is permitted. They are besides stateful, truthful return postulation for an allowed relationship is permitted automatically — you don’t request a matching outbound norm for SSH replies. (Cloud Firewalls are abstracted from immoderate on-Droplet firewall for illustration ufw.)
For the bastion, the only inbound you want is SSH from your ain IP.
Using the Control Panel:
- Go to Networking > Firewalls > Create Firewall.
- Name it bastion-ssh.
- Under Inbound Rules, support the SSH (TCP 22) norm but alteration its Sources from the default “All IPv4/All IPv6” to your nationalist IP (for illustration 203.0.113.10/32). Remove the unfastened defaults.
- Leave the Outbound Rules astatine their defaults (all TCP, each UDP, ICMP), truthful the bastion tin still scope updates and the VPC.
- Under Apply to Droplets, prime your bastion (bastion-Host1).
- Click Create Firewall.
Note: On the bastion’s firewall (Firewall A): participate your ain individual computer’s nationalist IP. This is the only spot your laptop’s IP goes. You’re the 1 connecting to the bastion from the outside, truthful the bastion should judge SSH only from you.
If you are utilizing a mac you tin usage the beneath bid to get your public/external IP address:
curl ifconfig.me
doctl equivalent:
doctl compute firewall create \ --name "bastion-ssh" \ --inbound-rules "protocol:tcp,ports:22,address:<your-ip>/32" \ --outbound-rules "protocol:tcp,ports:all,address:0.0.0.0/0 protocol:udp,ports:all,address:0.0.0.0/0 protocol:icmp,address:0.0.0.0/0" \ --droplet-ids <bastion-droplet-id>Step 4 — Add a Cloud Firewall to the Private Droplet
For the Private Droplet, the only inbound you want is SSH from the bastion.
Using the Control Panel:
- Go to Networking > Firewalls > Create Firewall.
- Name it private-droplet-ssh.
- Under Inbound Rules, support SSH (TCP 22) and group its Sources to your bastion Droplet: commencement typing its sanction (bastion-01) and prime it. This restricts SSH to postulation coming from the bastion complete the VPC.
- Leave the Outbound Rules astatine their defaults.
- Under Apply to Droplets, prime your Private Droplet (private-app-01).
- Click Create Firewall.

Step 5 — Connect
Both Droplets now exist, they stock a VPC, and the firewalls let precisely 1 way in: your instrumentality to the bastion, and the bastion to the Private Droplet. From here, travel the SSH steps successful the charismatic guide:
You tin travel the steps successful How to Connect to a Private Droplet to link to the Private Droplet.
In short, you’ll usage ssh -J (ProxyJump) to hop done the bastion to the Private Droplet’s VPC IP. Remember the default login personification connected astir DigitalOcean images is root.
ssh -J <bastion-user>@<bastion-public-ip> <private-user>@<private-vpc-ip>For example:
ssh -J [email protected] [email protected]You tin find the Private Droplet’s VPC IP successful the Control Panel nether Networking > VPC.

And thats it! You person successfully created a Private Droplet and a bastion big pinch Cloud Firewalls. You tin now link to the Private Droplet utilizing the bastion big arsenic a jump host.
Quick Verification Checklist
Make judge the pursuing are true:
- Both Droplets show the same VPC nether Networking > VPC.
- The bastion firewall allows TCP 22 from your IP only — not “All IPv4”.
- The Private Droplet firewall allows TCP 22 from the bastion (or the VPC CIDR) and thing other inbound.
- Each firewall is really applied to the correct Droplet (check Apply to Droplets).
Notes and limitations
- A NAT gateway is only needed if the Private Droplet requires outbound net (package updates, image pulls). It does not supply inbound access, truthful you can’t SSH done it — the bastion is required. See How to Create a NAT Gateway.
- Cloud Firewalls are stateful and are abstracted from immoderate on-Droplet firewall (ufw, firewalld); if you tally both, make judge their rules don’t conflict.
- For different Private Droplet behaviour and existent limitations, spot the Private Droplets documentation.
Further reading
- How to Connect to a Private Droplet
- Private Droplets — overview and limitations
- Cloud Firewalls — really to configure rules
- VPC champion practices (bastion guidance)
Still looking for an answer?
This activity is licensed nether a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.
English (US) ·
Indonesian (ID) ·