Articles

Create and Configure a VPC Network on DigitalOcean (2026)

April 16, 2026 3 min read

A VPC network on DigitalOcean is fundamentally a private layer-2 broadcast domain, not a routed IP network as the name "Virtual Private Cloud" might suggest.

Let’s see it in action. Imagine you have two Droplets, droplet-a and droplet-b, both in the same VPC.

# On droplet-a
sudo ip addr show eth1
# You'll see an IP address like 10.10.0.5/24 assigned to eth1

# On droplet-b
sudo ip addr show eth1
# You'll see an IP address like 10.10.0.6/24 assigned to eth1

# From droplet-a, ping droplet-b's private IP
ping 10.10.0.6
# This should work immediately.

The eth1 interface on each Droplet is automatically configured by DigitalOcean’s agent with an IP address from the VPC’s subnet. This interface is what connects your Droplet to the private network. The magic is that these Droplets can directly communicate using these private IPs without any public routing or NAT.

Here’s how you set it up:

  1. Create the VPC:

    • Go to the DigitalOcean control panel.
    • Navigate to "Networking" and then "VPCs."
    • Click "Create VPC."
    • Give it a name, e.g., my-app-vpc.
    • Choose a region, e.g., nyc3.
    • Define a subnet. A common choice is 10.10.0.0/24. This gives you 254 usable private IP addresses. You can also choose 10.10.1.0/24, 10.10.2.0/24, up to 10.10.254.0/24. The 10.x.x.x range is reserved for private networks.
    • Click "Create VPC."

  2. Add Droplets to the VPC:

    • When creating a new Droplet, under "Choose a datacenter region," you’ll see your VPC listed. Select it.
    • The Droplet will automatically be provisioned with an eth1 interface connected to this VPC.
    • To add an existing Droplet to a VPC:
      • Go to the Droplet’s page.
      • Click "Settings."
      • Under "Networking," find the VPC section and click "Add to VPC."
      • Select your VPC and click "Add."

Once a Droplet is in a VPC, its eth1 interface gets an IP from the VPC’s subnet. This private IP is only visible and routable within that specific VPC. All Droplets within the same VPC, regardless of their public IP addresses or physical location (within the same region), can communicate freely using these private IPs. The system handles the L2 switching behind the scenes.

The core problem this solves is secure, low-latency inter-Droplet communication without exposing traffic to the public internet. It’s ideal for database clusters, application servers talking to microservices, or any scenario where machines need to communicate privately and quickly. You have full control over which Droplets are in which VPCs, effectively segmenting your infrastructure.

You can also configure firewall rules at the VPC level to control traffic between Droplets or between Droplets and the internet.

What most people miss is that the VPC subnet ranges you define are not globally unique across DigitalOcean. Multiple users in the same region can create VPCs with the exact same subnet, like 10.10.0.0/24. The isolation is achieved because your Droplets are only connected to your VPC’s private network segment. There’s no cross-tenant routing at the L2 level.

The next logical step after setting up private communication is to control what traffic is allowed in and out of your VPC using VPC firewall rules.

Want structured learning?

Take the full Digitalocean course →