DigitalOceanNetworkingintermediate

DigitalOcean VPC & Networking Guide

Guide to DigitalOcean networking covering VPCs, Cloud Firewalls, Load Balancers, Reserved IPs, DNS management, SSL certificates, and network architecture patterns.

CloudToolStack Team22 min readPublished Mar 14, 2026

Prerequisites

Basic networking concepts (IP addressing, CIDR, TCP/UDP)
DigitalOcean account with doctl configured

DigitalOcean Networking and VPC

DigitalOcean provides a comprehensive networking stack that includes Virtual Private Clouds (VPCs), Cloud Firewalls, Load Balancers, Reserved IPs, DNS management, and VPC Peering. While simpler than the networking models of AWS, Azure, or GCP, DigitalOcean's networking is powerful enough for most production workloads and significantly easier to configure and manage. This guide covers the networking architecture, VPC design patterns, firewall strategies, load balancing, and DNS configuration for DigitalOcean deployments.

VPC Architecture

Default and Custom VPCs

Every DigitalOcean region has a default VPC that all resources are placed in unless you specify otherwise. Default VPCs use auto-assigned IP ranges and provide basic private networking between resources in the same region. For production deployments, you should create custom VPCs with specific IP ranges to enable better network segmentation and security.

bash

# Create a production VPC
doctl vpcs create \
  --name "prod-vpc" \
  --region nyc3 \
  --ip-range "10.10.0.0/16" \
  --description "Production network"

# Create a staging VPC (separate IP range)
doctl vpcs create \
  --name "staging-vpc" \
  --region nyc3 \
  --ip-range "10.20.0.0/16" \
  --description "Staging network"

# List VPCs
doctl vpcs list

VPC IP Ranges

VPC IP ranges must be within the RFC 1918 private address space: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. The range must be between /16 and /24. Choose non-overlapping ranges if you plan to use VPC Peering. DigitalOcean does not support subnets within a VPC. All resources in a VPC share the same IP range and can communicate directly.

VPC Peering

VPC Peering connects two VPCs so resources in each can communicate using private IP addresses. This is useful for connecting production and shared-services VPCs, or for connecting VPCs across different environments while maintaining network isolation. Peered VPCs must have non-overlapping IP ranges and be in the same DigitalOcean region.

bash

# Create a VPC peering connection
doctl vpcs peerings create \
  --name "prod-to-shared" \
  --vpc-ids <prod-vpc-id>,<shared-vpc-id>

# List peering connections
doctl vpcs peerings list <vpc-id>

Cloud Firewalls

Cloud Firewalls are stateful packet filters that control inbound and outbound traffic to your Droplets. They operate at the network edge, filtering traffic before it reaches your Droplet's network interface. This provides better security than host-based firewalls alone because malicious traffic is dropped before it reaches the OS. Cloud Firewalls are free and can be applied to Droplets by ID or tag.

Firewall Design Patterns

The most effective approach is to create role-based firewalls that are applied via tags. Create separate firewalls for web servers, application servers, database servers, and bastion hosts, then tag Droplets with the appropriate role.

bash

# Web server firewall: HTTP/HTTPS from anywhere, SSH from VPC only
doctl compute firewall create \
  --name "fw-web" \
  --inbound-rules "protocol:tcp,ports:80,address:0.0.0.0/0,address:::/0 protocol:tcp,ports:443,address:0.0.0.0/0,address:::/0 protocol:tcp,ports:22,address:10.10.0.0/16" \
  --outbound-rules "protocol:tcp,ports:all,address:0.0.0.0/0,address:::/0 protocol:udp,ports:all,address:0.0.0.0/0,address:::/0 protocol:icmp,address:0.0.0.0/0,address:::/0" \
  --tag-names "web"

# App server firewall: app port from LB only, SSH from VPC
doctl compute firewall create \
  --name "fw-app" \
  --inbound-rules "protocol:tcp,ports:8080,tag:load-balancer protocol:tcp,ports:22,address:10.10.0.0/16" \
  --outbound-rules "protocol:tcp,ports:all,address:0.0.0.0/0,address:::/0 protocol:udp,ports:all,address:0.0.0.0/0,address:::/0 protocol:icmp,address:0.0.0.0/0,address:::/0" \
  --tag-names "app"

# Database firewall: DB port from app servers only
doctl compute firewall create \
  --name "fw-db" \
  --inbound-rules "protocol:tcp,ports:5432,tag:app protocol:tcp,ports:22,address:10.10.0.0/16" \
  --outbound-rules "protocol:tcp,ports:all,address:0.0.0.0/0,address:::/0 protocol:udp,ports:53,address:0.0.0.0/0,address:::/0" \
  --tag-names "database"

Outbound Rules Are Important

Do not forget outbound rules. If you create a firewall with only inbound rules, all outbound traffic is blocked by default. This prevents your Droplet from making DNS queries, downloading packages, or connecting to external APIs. At minimum, allow outbound TCP to all destinations and UDP port 53 for DNS. For higher security, restrict outbound to specific destinations.

Load Balancers

DigitalOcean Load Balancers distribute incoming traffic across multiple Droplets or Kubernetes nodes. They support HTTP, HTTPS, HTTP/2, TCP, and UDP protocols, with SSL termination, sticky sessions, proxy protocol, and health checks. Load Balancers are regional and can be deployed in any DigitalOcean region.

Load Balancer Sizes

text

Load Balancer Sizes:
  lb-small   - 10,000 simultaneous connections   - $12/mo
  lb-medium  - 25,000 simultaneous connections   - $24/mo
  lb-large   - 100,000 simultaneous connections  - $48/mo

Creating a Load Balancer

bash

# Create a Load Balancer with HTTPS and health checks
doctl compute load-balancer create \
  --name "prod-web-lb" \
  --region nyc3 \
  --size lb-small \
  --vpc-uuid <vpc-uuid> \
  --forwarding-rules "entry_protocol:https,entry_port:443,target_protocol:http,target_port:8080,certificate_id:<cert-id> entry_protocol:http,entry_port:80,target_protocol:http,target_port:8080" \
  --health-check "protocol:http,port:8080,path:/health,check_interval_seconds:10,response_timeout_seconds:5,healthy_threshold:3,unhealthy_threshold:5" \
  --redirect-http-to-https \
  --enable-backend-keepalive \
  --tag-name "web"

# The load balancer automatically includes all Droplets tagged "web"

SSL Certificates

DigitalOcean provides free managed SSL certificates via Let's Encrypt. You can also upload custom certificates. Managed certificates auto-renew before expiration, eliminating the need for manual certificate management.

bash

# Create a managed (Let's Encrypt) certificate
doctl compute certificate create \
  --name "example-cert" \
  --type lets_encrypt \
  --dns-names "example.com,www.example.com"

# List certificates
doctl compute certificate list

DNS Management

DigitalOcean provides free DNS hosting with the ability to manage A, AAAA, CNAME, MX, TXT, NS, SRV, and CAA records. DNS is managed per domain and supports automatic record creation for Droplets, Load Balancers, and Spaces.

bash

# Add a domain
doctl compute domain create example.com

# Create DNS records
doctl compute domain records create example.com \
  --record-type A --record-name @ --record-data <lb-ip> --record-ttl 3600

doctl compute domain records create example.com \
  --record-type CNAME --record-name www --record-data @ --record-ttl 3600

doctl compute domain records create example.com \
  --record-type MX --record-name @ --record-data mail.example.com. \
  --record-priority 10 --record-ttl 14400

doctl compute domain records create example.com \
  --record-type TXT --record-name @ \
  --record-data "v=spf1 include:_spf.google.com ~all" --record-ttl 3600

# List records
doctl compute domain records list example.com

Reserved IPs

Reserved IPs (formerly Floating IPs) are static public IPv4 addresses that can be instantly reassigned between Droplets in the same datacenter region. They are essential for high-availability configurations where you need a stable IP address that can move between servers during failover. Reserved IPs are free when assigned to a Droplet and $5/month when unassigned.

bash

# Create and assign a reserved IP
doctl compute reserved-ip create --region nyc3
doctl compute reserved-ip-action assign <ip> <droplet-id>

# Reassign during failover
doctl compute reserved-ip-action assign <ip> <standby-droplet-id>

Network Architecture Patterns

Simple Web Application

For a simple web application, use a Load Balancer in front of multiple web server Droplets, all in the same VPC. Web servers connect to a managed database via private networking. Cloud Firewalls restrict access: web servers accept HTTP/HTTPS from anywhere, the database accepts connections only from web server Droplets.

Multi-Tier Application

For a multi-tier application, use separate VPCs for each tier (web, app, data) with VPC Peering for controlled communication between tiers. The web tier is the only tier with public internet access. App servers receive traffic only from the web tier Load Balancer. Database servers accept connections only from app servers. This provides defense-in-depth network isolation.

Multi-Region Deployment

For multi-region deployments, deploy identical stacks in multiple DigitalOcean regions and use an external DNS provider (Cloudflare, Route 53) with geographic or latency-based routing to direct users to the closest region. DigitalOcean does not support cross-region VPC Peering, so inter-region communication must traverse the public internet (use TLS encryption).

Network Security Checklist

For production deployments: (1) Use custom VPCs with defined IP ranges, (2) Apply Cloud Firewalls to all Droplets via tags, (3) Restrict SSH to VPC CIDR ranges or bastion host, (4) Use private networking for all internal communication, (5) Enable SSL on Load Balancers with managed certificates, (6) Configure managed database trusted sources, (7) Use Reserved IPs for services that need stable public addresses.

Key Takeaways

1Custom VPCs provide network isolation with user-defined IP ranges between /16 and /24.
2VPC Peering connects VPCs for cross-environment private communication.
3Cloud Firewalls are free, stateful, and applied by Droplet ID or tag.
4Load Balancers support HTTP/HTTPS/TCP/UDP with managed SSL certificates.
5Reserved IPs enable instant failover by reassigning static public IPs between Droplets.
6DigitalOcean DNS hosting is free and supports all standard record types.

Frequently Asked Questions

Does DigitalOcean support subnets within a VPC?

No. DigitalOcean VPCs use a flat network model without subnets. All resources in a VPC share the same IP range. For network segmentation, use multiple VPCs with VPC Peering.

Are Cloud Firewalls free?

Yes. Cloud Firewalls are completely free with no limits on the number of firewalls or rules. This is a significant advantage over some providers that charge for security groups or firewall services.

Can I do cross-region VPC Peering?

No. VPC Peering is only supported within the same DigitalOcean region. For cross-region communication, use public IP addresses with TLS encryption or set up a VPN between regions.

Written by CloudToolStack Team

Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.

Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.