
DigitalOcean VPC - SudoAlex
https://blog.digitalocean.com/vpc-trust-platform/
======
freedomben
I'm glad they plugged their outbound network transfer fees compared to the
others[1]. I was shocked and horrified when my AWS bill (which I pay myself)
quadrupled due to outgoing network transfer fees. It's truly outrageous what
they charge. I use Digital Ocean a lot now simply to avoid nasty surprises
like that. I hope AWS and Google change that.

[1] [https://blog.digitalocean.com/its-all-about-the-bandwidth-
wh...](https://blog.digitalocean.com/its-all-about-the-bandwidth-why-many-
network-intensive-services-select-digitalocean-as-their-cloud/)

~~~
echelon
$0.01/GB is fantastic, but I have a bandwidth intensive ML media application
and don't know how to monetize or sell it quickly enough to pay for my
bandwidth costs.

Is there a cloud or dedicated server farm with even cheaper outbound
bandwidth?

Edit: as much as I hate Oracle, their first 10TB is free, and each GB after
that is $0.0085/GB. Better...

~~~
oefrha
If you’re okay with servers located in Germany, Hetzner is a provider I can
vouch for and they offer additional egress at 1EUR/TB. 20TB included, too.
(Billing has been rather painful, though.)

~~~
muststopmyths
Can you elaborate why billing is a pain point ? thanks.

~~~
oefrha
Could not set up auto-charging, had to visit the billing portal once a month
and manually initiate a Paypal or credit card transaction. Probably okay if
you’re a company, not so convenient for an individual with a side project (at
least I prefer set and forget).

That was two years ago though, maybe it has improved.

~~~
enlyth
This is only the case with PayPal, if you switch to credit card it auto
charges you

~~~
oefrha
Hmm, weird, I believe I switched from credit card to PayPal at some point and
there was no auto-charging prior to that either. Anyway, happy to be
corrected.

------
treebornfrog
Got to love DO.

Simple pricing, nothing hidden, not the most feature rich ecosystem, but I get
no billing surprises.

Source: customer for 3 years.

~~~
napolux
I'm a DO client since the beginning. Can anyone tell me how they compare to
linode?

~~~
dom96
DO has so far been very good at keeping my CC details safe. Can't say the same
for Linode
([https://news.ycombinator.com/item?id=5552756](https://news.ycombinator.com/item?id=5552756)).

------
nerdbaggy
I find some of the limits weird
[https://www.digitalocean.com/docs/networking/vpc/](https://www.digitalocean.com/docs/networking/vpc/)

\- VPC network ranges cannot overlap with the ranges of other networks in the
same account. (Edit: Does this mean each VPC in the account has to have a non
overlapping subnet?)

-Resources do not currently support multiple private network interfaces and cannot be placed in multiple VPC networks.

\- Not being able to change the VPC connected to stuff without taking a
snapshot

~~~
t3rabytes
Pretty standard? Taking AWS for example:

\- You can do this, but it's highly discouraged since it means no VPC peering
if you ever need that.

\- Can't do this at all with network interfaces, it all is via VPC peering.

\- Can't change the VPC after an instance has been created, you have to take a
snapshot and relaunch it.

~~~
nerdbaggy
Interesting, didn’t know that about AWS. In more familiar with the Google
cloud version of VPC. Seems the DO implementation is more like the AWS version

~~~
troutwine
For what it's worth VPC ranges are allowed to overlap in GCP -- and do by
default -- but then you aren't able to peer them. I kind of prefer the DO/AWS
constraint.

~~~
Legogris
No such constraint in AWS.

~~~
troutwine
I misremembered. Thanks for the clarification.

------
jrockway
Do they talk at all about what they're using to provide the VPC overlay? I
have a DO k8s cluster and it uses Cilium for the CNI, which turns out to be
quite useful, so I guess I'm wondering if they're also using Cilium for this.

(Over in AWS land, they wrote a CNI for their own VPC networking. It turns out
to have many strange limitations. For example, you can only run 17 pods on a
certain type of node, because that node is only allowed to have 19 VPC
addresses. I was quite surprised when pods stopped scheduling even though CPU
and memory were available. Turns out internal IP addresses are a resource,
too. DigitalOcean has the advantage of starting fresh, so might be able to use
something open source that can be played with in a dev environment and
extended with open source projects.)

~~~
dilyevsky
Better way of doing natively addressable pods is assign whole subnets (like
/25) as secondary interface and distribute that to pods via cni. I think gke
pod network works that way. Not sure why eks decided 17 pods is ok lol

------
nerdbaggy
Why don’t most VPC providers offer IPv6? Is there some kind of implementation
issue with it, or just that you don’t need it.

~~~
judge2020
When you're using a private network v4 address exhaustion doesn't matter much
and the simplicity of only 4 octets helps with IP memorability and simplicity.
I would still prefer a v6 option though, as keeping private networks on v4
might be contributing to the slow adoption of v6.

~~~
wmf
Life sure would be easier if "cloud native" meant IPv6-only (except the load
balancer) with non-overlapping unique addresses everywhere. 10/8 doesn't go
far if you give each VM a /24 and each k8s cluster a /16.

~~~
llama052
What network are you running where you're giving each virtual machine a /24?
That's insane.

10/8 should go very far if you do it correctly, hence why it's in use in
almost all internal networks.

~~~
KaiserPro
kubernetes, because for what ever reasons people are suspicious of using DHCP
provided by the VPC.

------
GordonS
DigitalOcean seem to be slowly but surely becoming a "cloud provider", rather
than a "VPS provider" \- it's really great to see some attractively priced
alternatives to Azure/AWS/GCP!

I was wondering if DO publish some kind of roadmap? I'd really like to know
what else they plan on delivering over the next year or so?

------
flyinprogrammer
Not being able to reassign, delete, or change the cidr of the default VPC is
going to be a problem for most folks. Looking forward to the next release
where this is fixed, and the fact that we have day 1 support for Terraform is
awesome!

~~~
riffic
> day 1 support for Terraform

VPC support on DigitalOcean was soft-launched almost a month ago:

[https://www.digitalocean.com/docs/networking/vpc/quickstart/](https://www.digitalocean.com/docs/networking/vpc/quickstart/)

[https://www.reddit.com/r/digital_ocean/comments/g1hkhu/digit...](https://www.reddit.com/r/digital_ocean/comments/g1hkhu/digitalocean_quietly_launched_vpc_networks_last/)

------
radimm
All I'm missing now is ability to provision droplet without public IP. Sure I
can disable the interface, but in VPC I really don't want publicly accessible
resources except well defined entry points.

------
MaxBarraclough
Aside: I got curious about their web video player. Turns out it's hosted using
a service called Wistia. Their 'about us' video is fantastic.
[https://wistia.com/about-wistia](https://wistia.com/about-wistia)

------
JakeAl
They must be great, my servers are constantly receiving hack attempts from
Digital Ocean IPs.

~~~
SteveNuts
Does this mean that previously to this change, without a software firewall
running you'd be vulnerable to attacks on the private network from other
customers? (I've never used DO).

~~~
kitotik
Yes.

They also will automatically enable a private network interface for you if you
use their Floating IP feature. This caught me by surprise when I found out the
hard way :)

~~~
riffic
That suspiciously sounds like an anchor IP address and not an actual private
network interface:

[https://www.digitalocean.com/docs/networking/floating-
ips/](https://www.digitalocean.com/docs/networking/floating-ips/)

~~~
kitotik
Ahh you are completely correct. It caused issues for me as it added a new
interface that my firewalls knew nothing about.

------
apple4ever
Oh this is really cool!! I've been wanting them to do this for a few years,
glad they finally did. It has some quirks (have to clone to add to an existing
VM) but its at least a great start!

One thing I want to do is setup a VPN tunnel from my home network and lock
everything else down. Wasn't possible before but it is now with this.

~~~
arcticfox
I did this with Tailscale and it was super slick

------
graham-web
This is nice, but Kubernetes already does enough in that department for our
needs.

Given that now “Security and customer trust are at the core of what we do”, it
would be nice if they could fix the massive oversight in their Spaces offering
where every API key has full access to all spaces/buckets.

~~~
dynamite-ready
Didn't know that... I'm running a personal project on DO, so don't have many
keys, but that's good to know.

I also wish they'd add the feature to turn DO Spaces into a static server,
like most other cloud providers.

------
te_chris
I didn't realise they offered Kubernetes as a managed service. Will seriously
evaluate when our GCS credits are getting closer to running out. VPC, Kube and
managed DB is all we need (and Terraform providers).

~~~
MaxBarraclough
According to [0] there were serious security problems with their managed
Kubernetes in the early days. May since have been fixed.

[0]
[https://news.ycombinator.com/item?id=22490390](https://news.ycombinator.com/item?id=22490390)

~~~
te_chris
Yikes - only 60 days ago! Thanks.

------
pqdbr
When are you going to have a datacenter in Brazil? We don't mind if we have to
pay more than your listed prices for other locations. We know Brazil is more
expensive. Just do it already.

~~~
unixhero
Can confirm, existing cloud providers I worked with in Brazil were not very
good. My clients insisted on using them because of their billing setup with
local payment processors (pagseguro).

------
dynamite-ready
I'd have been more interested if it could be made to work across regions... I
also thought private network addresses had been available on DO for a while
now.

~~~
casperb
Yes, they had private networking. Now with VPC’s it is basically multiple
‘private networks’ within one account. As mentioned in the article.

------
AtomicOrbital
[https://console.hetzner.cloud/](https://console.hetzner.cloud/) has had a
free VPC for a while ... great alternative to the aws offering ... looking
forward to changing my scale up/down devops code currently on aws to work for
any private network ... trying to avoid cloud vendor lock in

------
shrumm
This is great - any word on supporting internal IP load balancers on
Kubernetes? From what I've read, unlike GKE, AKS etc, all kubernetes services
exposed via load balancer gets a public IP. I'd like to keep internal services
locked to internal only networks like what you're proposing with this VPC
feature.

------
jzer0cool
I'm just learning here about the cheaper outbound network fees - I'm always
afraid of the outbound costs due to any spike of traffic.

Could anyone here share some other benefits to using DO? Or any particular
Must Have's on a particular cloud provider?

------
terrywang
Cloud Firewall, VPC, glad to see useful features added.

Personal experience with DO: I've been a happy DO customer for the past [7
years](1). Linux VM [uptime](2) record has been amazing for personal use case.

This week I migrate the droplet hosting my personal website (5/m) from
DigitalOcean to Amazon Lightsail (3.5/m plan) this week. Trigger being Ubuntu
LTS upgrade to 20.04 again failed to boot on first few attempts again (wasted
quite sometime chroot trying to fix to no avail without access to the
hypervisor - IaaS...), mainly because of the way DO's flavour of KVM
(hypervisor) works (I am not the only one), my other VPS (e.g. 123Systems -
KVM) worked well and never had the same problem, let alone Xen powered VMs
(EC2, self-hosted XenServer, etc. - I know hypervisor well because I've worked
for XenSource/Citrix on XenServer for several years).

Customer (technical) support quality has dropped over the last few years, I
can tell the difference by comparing the last 2 support tickets, I don't want
to guess the root cause, sigh...

Finally I have had enough (4th time down with upgrade), it's time to move on
to something better without paying more, migration is made easy due to the way
workloads are deployed (most containerized, thanks to Docker/Docker Compose).
With Lightsail, in addition to the AWS name/brand, has the advantage to move
the Lightsail VMs into AWS EC2 instances so as to leverage full-fledged AWS
infra (e.g. VPC, etc.) seamlessly.

Over the years, low end VPS competition has becoming much tougher (DO, Linode,
Vultr, Amazon Lightsail late to the game but powerful strike, etc.) DO has
lots its key competencies for bang for the buck, without offering 2.5~3.5/m
plan on par with competitors.

Last but not least, I'll definitely consider DO as an option when Cloud
Infrastructure is need, still ;-)

BTW: On Oracle, my Oracle Cloud free tier trial ended miserably, 2 weeks after
provisioning the VMs, Cockpit (I run it on my home NAS - managing/monitoring a
small group of cloud VPS using the web UI) reported connection failed, only to
find that my account has been terminated without any warning or notification
along with my 2 free VMs based in Phoenix, lucky that I didn't actually put
any workload on it (left them running only - feeling something's gonna
happen...), contacted support and was told account deleted, no reason,
redirected me to customer support (my oracle support, I couldn't figure out
how that works, so give up...). I still don't understand how Oracle Cloud
login works...

[1]:
[https://pbs.twimg.com/media/EWhuECEUEAEJ5gV?format=jpg](https://pbs.twimg.com/media/EWhuECEUEAEJ5gV?format=jpg)

[2]:
[https://pbs.twimg.com/media/EVSbMKmU0AAEg58?format=jpg](https://pbs.twimg.com/media/EVSbMKmU0AAEg58?format=jpg)

------
davidu
Very happy DigitalOcean customer for 4+ years. Great to see this, too.

------
quezzle
The value of digital ocean used to be simplicity.

Vpc isn’t simple.

