DO Ideas 2

Private Back-End Network Support

I suggest you to create private Local Area Network (LAN), in each datacenter.
It should allow creating sets of front-end webserver and back-end database server.

  • jet tsang
  • Sep 11 2018
  • Shipped
  • Sep 11, 2018

    Admin Response

    Great news! DigitalOcean now offers shared private networking in NYC2. All new droplets created in NYC2 have the option of using private networking; it can be activated by choosing the checkbox called "Private Networking" in the settings section of the droplet create page. Click here for the full tutorial to learn more: https://www.digitalocean.com/community/articles/how-to-set-up-and-use-digitalocean-private-networking Thank you for continuing to use Uservoice as a feedback platform for DigitalOcean. You have done an amazing job helping us guide our product roadmap. We are looking forward to releasing more exciting new features in the near future. Stay tuned! PS> We are evaluating the rollout of private networking in the other regions. If we are unable to roll it out in the specific region we will be adding another region in the same geography which will support it as well as all future coming network enhancements like IPv6 and elastic IPs.
  • Attach files
  • The Digital Orchard commented
    September 11, 2018 19:55

    I was discouraged to learn that private networking is only available in the New York DC. I'm on the West Coast, and one of my motivations for adopting Digital Ocean was to have servers geographically closer to my customer and user bases. I've already begun rolling out droplets in the San Fran DC only to discover that private networking is not supported there. Boo!

  • Chris M commented
    September 11, 2018 19:55

    Any news on if/when this will be available in other DCs?

  • Chris M commented
    September 11, 2018 19:55

    A couple of questions - any ETA on when this will be available in SF and will you be able to retrofit it to existing droplets? I'm looking a moving a bunch of EC2 instances, but this is a pretty critical feature, esp. when using nosql db's which have virtually zero security...

  • Craig commented
    September 11, 2018 19:55

    Sitting with fingers crossed that Amsterdam gets this at some point soon, then I can move my Database server to DO as well

    ;-)

  • Anonymous commented
    September 11, 2018 19:55

    please enable creating droplets with private networking enable thru the API and when getting a list of droplets thru the API show both the public and private IP.

  • Thanh Nguyen commented
    September 11, 2018 19:55

    It's out, finally :-)

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    Yeah! its done!

  • Matt commented
    September 11, 2018 19:55

    Thinking about the technical issues they might have in implementing this is no joke, I can immagine it takes time and planning, Right now they probably have bought a massive amount of public Ip addresses, so each droplet can have its own, now each droplet is in fact a virtual machine on the host server,so the host server will have already an internal ip address , and their public ip get routed to that internal ip address which then the host takes and routs to your droplet on some loopback kinda network,now giving each droplet a private ip if it was not implemented before means they gonna have to modify thousands of droplets in a delicate way adding virtual network card or assigning the new Ip which could cause the droplet to not respond correctly (epic fail),once every droplet has it's private ip then there is actually a security issue cause from those droplets you could reach the internal infrastructure attacking host servers directly so you have to setup a Whole bunch of rules I guess to isolate each droplet so he a cannot do harm to host servers(the main machines hosting many droplets) internally + a Whole bunch of other thingies... I guess its no joke..

  • Matt commented
    September 11, 2018 19:55

    Can't wait to implement it!! Good work guys

  • Anonymous commented
    September 11, 2018 19:55

    Woot!

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We should be announcing this next week! =]

    Starting first with the NY2 region and then moving on to the rest of the regions throughout September.

  • Reverend Doctor Proxy commented
    September 11, 2018 19:55

    Unfortunately, creating vlans which span multiple devices is incredibly taxing on routers for networks of this size and expansion rate. At this stage, their equipment may not be able to handle it, however it seems as if they are working hard on it and we must be patient. I too have moved serveral servers from various hosts and will wait as long as it takes for Digitial Ocean to get everything completely operational. I have not been disappointed yet!

  • Thanh Nguyen commented
    September 11, 2018 19:55

    I've moved 2 servers from AWS to Digital Ocean, still waiting for this feature to move some more servers :-)

  • Moisey Uretsky commented
    September 11, 2018 19:55

    Lot of code being written for it this week, hopefully it will be in public beta in the next couple of weeks starting with the NYC2 facility.

    As soon as a more specific ETA becomes clear we'll provide it. =]

  • Thanh Nguyen commented
    September 11, 2018 19:55

    Any update yet?

  • Vincent Duke commented
    September 11, 2018 19:55

    @Morthawt .. Let's say you want to use 1 server as a load balancer/firewall. 2 production web heads and 1 database server. Currently the only IP addresses you have available are public. So all connections will be going out of the local and coming back in utilizing your outbound traffic. And even if they don't count it against your outbound traffic it is still a bit of a performance hit is one of the main issues. Internal network traffic is much faster than going out then back in.

    The Company I presently work for uses a rack-connect/rackspace cloud setup where we have a hardware firewall which only exposes out load-balancer server to the public on a specific port, leaving all the other servers we have in the cluster not available to the public at all. If those other servers had to go out of the network to talk with the load balancer we would lose that control of keeping those servers from being publicly visible. Yes we could setup firewall rules to only allow certain ip's to come through but then it will still eat outbound traffic.

    Hope that helps Mort.

  • Pablo commented
    September 11, 2018 19:55

    There's another thread w/the same request, that has garnered a lot more votes. You should consolidate your votes on that one: http://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/3020028-private-back-end-network-support

  • Morthawt commented
    September 11, 2018 19:55

    LAN? What will stop someone from sniffing the network in promiscuous mode to capture private traffic?

  • Morthawt commented
    September 11, 2018 19:55

    Can someone please details the benefits and what it actually is? Maybe I am missing something but I don't understand. Back-End Networking?

  • Thanh Nguyen commented
    September 11, 2018 19:55

    @Moisey Uretsky: thanks for the update, waiting for it to be rolled out :-)

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We've rolled out private networking in our staging environment and we're in the process of setting up a new region, NY2 which will be the most likely location that will receive this new feature first. Should be ready for public testing in 4-6 weeks in that region and then rolled out from there.

    Thanks!

  • Alex Pole commented
    September 11, 2018 19:55

    Any time frame on this?

  • Thanh Nguyen commented
    September 11, 2018 19:55

    This topic seems dead?

  • Martin Hlaváč commented
    September 11, 2018 19:55

    ETA? This would allow me and companies i work for to switch to digital ocean.

  • Mathias commented
    September 11, 2018 19:55

    Not having Private IPs is really a deal breaker for us...
    +3 for this

  • Vincent Duke commented
    September 11, 2018 19:55

    Come on guy's at least give us a time line so we know what to do with ourselves... Nothing sucks more than getting a brick wall when obviously we all love your service and want to switch to you as our primary. Just throw us a rough estimated time. If it's a couple weeks great, a few months, a year or two? Just let us know something is being done in regards to this.

  • Thanh Nguyen commented
    September 11, 2018 19:55

    No update yet?

  • Grails Jobs commented
    September 11, 2018 19:55

    Any updates on private IPs to virtual server?

  • Thanh Nguyen commented
    September 11, 2018 19:55

    +1, love to have private IP

  • Eric commented
    September 11, 2018 19:55

    Hi,

    Any update regarding "Private IPs" ?

    Important for us as well!

    Regards
    Eric

  • Dmitry Gorbunov commented
    September 11, 2018 19:55

    It's really important for any kind of serious set-up or even for a simple DB+Server set-up where DB is not visible to outside world. I hope to see it implemented soon.

  • John Fuller commented
    September 11, 2018 19:55

    Keep the updates flowing. ;)

  • Michael commented
    September 11, 2018 19:55

    I cannot stress how critical this is for me! ETA please?

    Also, when you say "[...] like other providers there will be visibility on the private network between virtual servers of different customers." How secure will this private network be? I'm okay with being able to directly ping/connect to/see other people's servers (and having my server visible), but I want to ensure that when I connect to a computer on the private LAN that it's a direct connection and that other servers will not be able to discover/snoop on the direction connection. In other words, I'm okay with my server(s) being discoverable to others, but I want to make sure that if I send data from one server to another server on the private LAN, other servers cannot see/intercept it.

  • Geovanny Junio commented
    September 11, 2018 19:55

    ETA please!

  • Nikhil Lanjewar commented
    September 11, 2018 19:55

    Like everyone else on this thread, even I badly need private IPs. Could we please have an ETA for this?

  • Anonymous commented
    September 11, 2018 19:55

    Just another idea, use IPv6 for private addressing. As long as your network core can support it, you could use fc00::/7 which was reserved by IANA see RFC 4193. Disable IPv4 for the internal networking on all the switches and routers. Now you have enough IPs for everyone.

  • Anonymous commented
    September 11, 2018 19:55

    The day this comes out I move from my current host to digital ocean. This is a game changer for me. An ETA would be helpful!

  • Vincent Duke commented
    September 11, 2018 19:55

    ETA???? This is a world changer for me!

  • Vojtech Kolacek commented
    September 11, 2018 19:55

    I'd also love to hear some news about this feature...

  • Anonymous commented
    September 11, 2018 19:55

    Indeed - I also need this feature. +3

  • Eugen Oprea commented
    September 11, 2018 19:55

    Any news about when this is going to be available? I am keen to move to you guys, but I need this feature.

  • Vincent Duke commented
    September 11, 2018 19:55

    New customer, Just signed up today and was not away of this limitation. Was just about to set me up an HAPROXY server like I do on my rackspace account and discovered this. +infinity to this feature. Would love to know when we can expect to have that local network up. Impossible to setup a viable cluster without it! Any timelines on the release on this? Keep rockin

  • Jean Paul Val commented
    September 11, 2018 19:55

    Please provide us with the private network ASAP, we really need an eth1 10.x.x.x interface, forget about the VLANs if it's making a delay on this feature. The lack of a private network is making imposible for to migrate to DigitalOcean.

    Also I hope that the intra server communication (Bandwith) to be free as in the Rackspace cloud.

    Thanks.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    The issue with VLANs is hard limitations on switching/networking equipment. Many vendors claim that they support X amount of VLANs but in practice as you begin to actually assign them and get them into production environments the real number of support VLANs vs claimed can greatly differ.

    We are also looking into a software based solution as well which would accomplish the same thing, but we may default to a private open network that is hidden from the net for all customers and then if customers have a large number of VMs and want more flexibility we can provide a customer VLAN though there will probably be a cost associated with it, since if we got the straight hardware route there are datacenter/pod limitations that are fixed.

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    Even thought I would prefer to have a vlan even with a small group of servers, it seems fair, to offer vlans for accounts with many servers, if offering a vlan reflects in costs for you.

    Another option is to simply charge if one wants a private vlan.

    I would definetely pay for that as that could simplify a bit our development - we could use local network discovery to find peer servers, use zeromq in a safer way

  • Felipe Martín commented
    September 11, 2018 19:55

    It's a great idea. I was going to start a VPN network for my severs but this will fit just fine.
    The VLAN option you suggested will be available only to customers with a lot of servers?

  • Moisey Uretsky commented
    September 11, 2018 19:55

    The implementation that we are working towards will be a private network that isn't visible to the net however like other providers there will be visibility on the private network between virtual servers of different customers.

    So send us your feedback on this implementation as it's still in the early stages of being rolled out.

    We've also discussed adding some vlan support in the future for customers that have a large number of virtual servers (25-50+) that want to segment them further, where we can roll out a vlan to the customer and they can just assign any kind of private IPs they want in any kind of format.

  • Nicholas Kourtzis commented
    September 11, 2018 19:55

    If this is implemented the right way, it will mean no more need for VPNs between servers!

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    Awesome!

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We are moving this request to "started" which means we are now beginning the work on rolling this feature out.

    We should have a clearer ETA on this next week when we've had a chance to deploy a few related items and see how they begin to play out in the cloud.

    Thanks!

  • Benjamin commented
    September 11, 2018 19:55

    Badly need this :)

  • Jasdeep Singh commented
    September 11, 2018 19:55

    An update would be much appreciated. I started using digital-ocean and was about to deploy a couple apps. Bummer! No Private IP's.

    Considering going back to Linode now.

  • Geovanny Junio commented
    September 11, 2018 19:55

    Any updates on that? My business is growing and I need a more structured solution with frontend and backend servers.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We are investigating opening up a new engineering tab inside of the CP and also making it public which will discuss our public roadmap so customers can see all of the items that we are currently working on, what is planned next, and ETAs that can be adjusted as the scope of work changes or if other items become a priority ahead of the prior items that were listed.

    That will hopefully make it clearer when new features are going to be launched for everyone.

    Thanks

  • Adam commented
    September 11, 2018 19:55

    It says estimate is a month about 10 months ago, any status ?

  • hareemca commented
    September 11, 2018 19:55

    Any ETA that can be shared with us regarding the implementation of this feature

  • Koert commented
    September 11, 2018 19:55

    +1

  • Chome Hosting commented
    September 11, 2018 19:55

    I'm eagerly awaiting this. Any news on implementation yet?

  • Moisey Uretsky commented
    September 11, 2018 19:55

    I think the majority of the issues that AWS ran into in the US region has been related to EBS, but I could be mistaken.

  • Haakon commented
    September 11, 2018 19:55

    Also waiting for this, but in the Amsterdam location.

    Off topic (and don't take this too seriously folks): Why would anyone use the US location anyway? Look at the AWS status history, and you'll see that they've had several MAJOR outages in the US, but none in the EU region. Too many thunderstorms and nature disasters happening all the time in the US. We'll never run a critical solution from a US datacenter ;) We used to do so, but when both Heroku, Amazon and MongoHQ went down at the same time because of the weather, we moved everything to Ireland. No trouble since then...

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We are currently not charging for data transfer and then when we roll out private networking you will need to update your configs to communicate over the private IPs so that you aren't charged for that traffic.

  • Anonymous commented
    September 11, 2018 19:55

    Is this in place already (transfer between 2 droplets on same datacenter)? I have been confirmed by support about this just know, is it in place?
    If one droplet is front end layer and second is MySql for example, I will need to connect to MySql via public IP (remote) and hope the speed will no decrease and I will not be charged, please confirm.

    Thanks and keep up the good work.
    R.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We use the free version of UserVoice so we don't have the ability to merge topics =]

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We will be making a bit announcement in late April and right now this is tentatively scheduled to be part of that announcement.

    We'll have a more concrete answer whether or not it makes it in by around April 15-20th.

    Thanks!

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    are there updates on that?

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    Shouldn't this be merged with the private backend network sugestion?

  • Anonymous commented
    September 11, 2018 19:55

    Any updates?

  • Miles Smith commented
    September 11, 2018 19:55

    +1 for an update!

  • Moisey Uretsky commented
    September 11, 2018 19:55

    Sorry meant to say there will be no charges for transfers =]

  • Chome Hosting commented
    September 11, 2018 19:55

    Moisey Uretsky wrote: "There will be no transfers between virtual servers in the same datacenter after we introduce private networking ....."

    I hope you worded that wrong. Because the way you said it appears to suggest that servers in the same data center will no longer be able to communicate with each other, which would be ridiculous.

  • Kaidesa commented
    September 11, 2018 19:55

    Also requesting an update on this request. As mentioned previously, this is the only thing keeping me from moving quite a few of my projects over to Digital Ocean. Really looking forward to when this becomes a possibility.

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    Any updates on that?

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    Right now it's not viable to use digitalocean for mid to large projects because of that, LAN is a requirement if you have couple droplets working together (load balancer + app server + database)

  • Mustafa Uysal commented
    September 11, 2018 19:55

    Yeah, this feature will be great. Generally HA softwares need to private network.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    Still in the works hopefully 1-2 months.

  • Gustavo Gawryszewski commented
    September 11, 2018 19:55

    Do you have any updates on that?

  • Jonathan Tittle commented
    September 11, 2018 19:55

    Just as a general note, most providers charge for transfer incurred from one DC to the next due to the same reasoning Moisey provided.

    The only instance where transfer wouldn't be charged is if the DC owned both locations and laid fiber between networks to provide private networking capabilities. Some do, some don't, though for a provider that operates out of a DC and doesn't physically own the DC, the costs to provide such would be rather substantial and would severely slow progression to new DC's.

    I'm all for transfer between same-location droplets being free, though transfer between DC's should, of course, be billed at normal rates, in the event the user surpasses their limits.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    Good call on the private only server.

    As for the private customer VLANs we have been looking into it but looking to size the networking gear appropriately given limitations on total number of supported VLANs.

  • Josh Frye commented
    September 11, 2018 19:55

    Even better still would be to create private vlans per user account so internal ips are restricted to only the guests you own.

  • Josh Frye commented
    September 11, 2018 19:55

    Along side of this feature it would be nice to be able to decline a public ip also. For backend services (mysql, redis, etc) there's no need to expose a public ip. This would save you guys some ip addresses (and money) and secure the boxes a little bit knowing they can only be accessed by other guests running within the ny1 zone.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    As we've grown and expanded our current public infrastructure running the public cloud we've seen what networking issues arose which is allowed us to gather more information and make a better determination on how to roll out the private network.

    We would ideally like to get this implemented in the next 2-3 months and it will most likely get rolled out in the NYC datacenter first as a beta deployment.

  • Kaidesa commented
    September 11, 2018 19:55

    I know this has only been a planned feature for about five months now, and stuff like this takes time to plan and implement, but is there any update that can be given as to the status of this request?

  • Josh Frye commented
    September 11, 2018 19:55

    +1

  • Moisey Uretsky commented
    September 11, 2018 19:55

    Unless there is dark fiber between the two facilities the traffic will be traversing public transit pipes which would incur fees.

    Dark fiber can get quite expensive especially when the two locations are remote datacenters across very large geographic distances.

  • Paulo Scardine commented
    September 11, 2018 19:55

    This should be easier to setup than VPNs between droplets, serve the same purpose. Also, I do think it is fair to charge the normal rate for traffic between datacenters.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    There will be no transfers between virtual servers in the same datacenter after we introduce private networking but transfers between datacenters would still incur a bandwidth fee due to being publicly routed.

  • Luis Azedo commented
    September 11, 2018 19:55

    please add a way to connect LANs in different datacenter. a backend server in amsterdam should be able to connect to another server in NY.

  • Santhan commented
    September 11, 2018 19:55

    Sometimes we need to migrate data between droplets and using a local network would be better.

  • Geovanny Junio commented
    September 11, 2018 19:55

    Excellent. Looking forward to the announcement. [2]

  • Kaidesa commented
    September 11, 2018 19:55

    This is really the only thing that's currently keeping me from fully adopting DigitalOcean as my provider of choice. Everything else you guys provide is excellent, especially considering the low cost of the droplets.

    A private LAN would allow people who employ proper architecture to set up multiple web servers and database machines for horizontal scaling without needing to worry about security holes from leaving all of their virtual machines exposed to the public. This, in my eyes, should be one of your top priorities, as i'm fairly certain I'm not the only one with these sort of requirements.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We'll be rolling out private backend networking as soon as we've reviewed the network topology a bit further.

    We've had great growth the last couple of months and we are in the process of upgrading our core network in the US region after completing the same upgrade in our AMS region after which we'll be able to see the best direction for moving forward.

    Thanks

  • Kenn Ejima commented
    September 11, 2018 19:55

    Moisey, as you guys have started charging for bandwidth, this feature - unmetered VLAN - has become a priority, I think. For mid-to-high-end database servers, constant 100Mbps (1TB per day) is the norm, not the exception.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We're doing a core network upgrade in our US region after which we will be able to see what kind of local area topology we're going to roll out

  • Kenn Ejima commented
    September 11, 2018 19:55

    We've just passed mid-January - any updates on this?

  • Eric commented
    September 11, 2018 19:55

    Excellent. Looking forward to the announcement.

  • Moisey Uretsky commented
    September 11, 2018 19:55

    Absolutely, we are in the middle of a large update to the backend infrastructure which we will be announcing in mid-January 2013.

    After that the next backend feature that will be getting primary attention will most likely be private backend connectivity.

  • Eric commented
    September 11, 2018 19:55

    Are you still moving forward with this?

  • Moisey Uretsky commented
    September 11, 2018 19:55

    We're going to be adding private IPs to the virtual servers - we'll be making the announcement on twitter and the blog.

    At this point the rough estimate is about a month.

    Thanks