Intermediate
How to configure a production Droplet on DigitalOcean
Quick Answer
Create a DigitalOcean Droplet using the control panel or doctl CLI with Ubuntu 18.04 or later, SSH keys for authentication, enable IPv6, monitoring, backups, and VPC networking. Use a cloud-config user data script to set up a secure non-root user. Apply a cloud firewall with the Droplet's tag for inbound traffic control.
Prerequisites
- DigitalOcean account
- SSH key pair generated locally
- Basic command line knowledge
- Familiarity with cloud concepts
- Text editor for user data script
1
Generate and Upload SSH Keys
Before creating your Droplet, generate an SSH key pair on your local machine using
ssh-keygen -t ed25519 -C "your_email@example.com". Copy the public key content from ~/.ssh/id_ed25519.pub and upload it to your DigitalOcean account via the control panel under Security > SSH Keys > Add SSH Key.Tip
Use ed25519 keys for better security and performance over older RSA keys.
2
Start Droplet Creation in Control Panel
Log into the DigitalOcean control panel, click Create in the top right, then select Droplets to open the creation page. Popular defaults are pre-selected, but customize as needed for production use.
3
Choose Region and Image
In Choose Region, select the datacenter nearest to you and your users for minimal latency. Under Choose an image, select the OS tab and pick the latest Ubuntu 22.04 LTS (or 18.04 as specified in some guides) for a stable production base.
Tip
Check region availability for features like backups before deciding.
4
Configure Networking and Features
In VPC Network, choose the default VPC. In recommended and advanced options, enable IPv6, Monitoring, and Enable backups. Also check Advanced Options for user data to run a cloud-config script on first boot.
Tip
Backups add 20% to monthly cost but enable point-in-time recovery.
5
Set Up User Data Cloud-Config Script
In the user data textbox, paste a cloud-config script customized with your desired non-root username (e.g., replace youruser):
cloud-config
users:
- name: youruser
sudo: ALL=(ALL) NOPASSWD:ALL
groups: sudo
shell: /bin/bash
ssh_authorized_keys:
- ssh-rsa AAAAB3NzaC1yc2E... your_key_here
lock_passwd: true
package_update: true
package_upgrade: true
packages:
- ufw
runcmd:
- ufw allow OpenSSH
- ufw --force enableThis creates a sudo user, adds your SSH key, disables password auth, and sets up basic firewall.
Tip
Save this script locally as
user-data.yaml for CLI reuse.6
Configure Authentication and Tags
In Authentication, select SSH keys and choose your uploaded keys. The user data script will propagate them to the non-root user. In Tags, add a descriptive tag like
webserver for firewall rules. Set Quantity to 1 unless load balancing.Tip
Tags enable applying firewalls to groups of Droplets efficiently.
7
Create the Droplet
Review settings including plan size (recommend
s-2vcpu-2gb minimum for production), then click Create Droplet. Monitor the progress bar; the Droplet is ready when it shows an IP address (1-2 minutes).Tip
Click 'Create via command line' for copyable doctl or cURL commands.
8
Alternative: Create with doctl CLI
Install doctl, authenticate with a personal access token, save your user-data file, then run:
doctl compute droplet create my-droplet --tag-names webserver --image ubuntu-22-04-x64 --region nyc3 --size s-2vcpu-2gb --ssh-keys your:key:fingerprint --user-data-file ./user-data.yaml --enable-ipv6 --enable-monitoring --enable-backupsTip
Use
doctl compute ssh-key list to get fingerprints.9
Create Cloud Firewall
Click Create > Cloud Firewalls. Name it (e.g., 'webserver-firewall'), add inbound rules for SSH (TCP 22), HTTP (80), HTTPS (443) from appropriate sources, and apply to Droplets with your tag (e.g.,
webserver).Tip
Start restrictive: only allow SSH from your IP, then open web ports.
10
Verify and Connect
Get the Droplet IP from the control panel. Connect as your non-root user:
ssh youruser@droplet-ip. Run ufw status and sudo systemctl status ssh to verify setup.Troubleshooting
SSH connection refused or timeout
Verify SSH key uploaded correctly and selected during creation. Check if firewall blocks port 22. Ensure you're connecting to public IP as non-root user created in user-data.
Droplet creation fails or stuck on progress bar
Check account credits/billing. Verify region/image availability. Try different region or basic plan size. Review API rate limits if using doctl.
'Permission denied' on SSH
Confirm public key matches private key used locally. Regenerate if fingerprint mismatch. Check user-data script properly added key to authorized_keys.
User data script not running
Validate YAML syntax (indentation critical). Use
doctl compute droplet-action power-off/on to trigger cloud-init rerun. Check /var/log/cloud-init-output.log after SSH access.Firewall blocks web traffic after setup
Edit cloud firewall rules to allow TCP 80/443 from 0.0.0.0/0. Verify Droplet tagged correctly and firewall applied. Test with
curl -I http://droplet-ip.Ready to get started with DigitalOcean?
Put this tutorial into practice. Visit DigitalOcean and follow the steps above.
Visit DigitalOcean →