D DigitalOcean

How to configure production Droplet on DigitalOcean

intermediate 8 min read Updated 2026-03-13
Quick Answer

Create a DigitalOcean Droplet using the control panel or doctl CLI with Ubuntu 18.04 or later, SSH keys for authentication, enable IPv6, monitoring, backups, and VPC networking. Use a cloud-config user data script to set up a secure non-root user. Apply a cloud firewall with the Droplet's tag for inbound traffic control.

Prerequisites

  • DigitalOcean account
  • SSH key pair generated locally
  • Basic command line knowledge
  • Familiarity with cloud concepts
  • Text editor for user data script

Step-by-Step Instructions

1

Generate and Upload SSH Keys

Before creating your Droplet, generate an SSH key pair on your local machine using ssh-keygen -t ed25519 -C "your_email@example.com". Copy the public key content from ~/.ssh/id_ed25519.pub and upload it to your DigitalOcean account via the control panel under Security > SSH Keys > Add SSH Key.
Use ed25519 keys for better security and performance over older RSA keys.
2

Start Droplet Creation in Control Panel

Log into the DigitalOcean control panel, click Create in the top right, then select Droplets to open the creation page. Popular defaults are pre-selected, but customize as needed for production use.
3

Choose Region and Image

In Choose Region, select the datacenter nearest to you and your users for minimal latency. Under Choose an image, select the OS tab and pick the latest Ubuntu 22.04 LTS (or 18.04 as specified in some guides) for a stable production base.
Check region availability for features like backups before deciding.
4

Configure Networking and Features

In VPC Network, choose the default VPC. In recommended and advanced options, enable IPv6, Monitoring, and Enable backups. Also check Advanced Options for user data to run a cloud-config script on first boot.
Backups add 20% to monthly cost but enable point-in-time recovery.
5

Set Up User Data Cloud-Config Script

In the user data textbox, paste a cloud-config script customized with your desired non-root username (e.g., replace youruser):

cloud-config
users:
  - name: youruser
    sudo: ALL=(ALL) NOPASSWD:ALL
    groups: sudo
    shell: /bin/bash
    ssh_authorized_keys:
      - ssh-rsa AAAAB3NzaC1yc2E... your_key_here
    lock_passwd: true
package_update: true
package_upgrade: true
packages:
  - ufw
runcmd:
  - ufw allow OpenSSH
  - ufw --force enable

This creates a sudo user, adds your SSH key, disables password auth, and sets up basic firewall.

Save this script locally as <code>user-data.yaml</code> for CLI reuse.
6

Configure Authentication and Tags

In Authentication, select SSH keys and choose your uploaded keys. The user data script will propagate them to the non-root user. In Tags, add a descriptive tag like webserver for firewall rules. Set Quantity to 1 unless load balancing.
Tags enable applying firewalls to groups of Droplets efficiently.
7

Create the Droplet

Review settings including plan size (recommend s-2vcpu-2gb minimum for production), then click Create Droplet. Monitor the progress bar; the Droplet is ready when it shows an IP address (1-2 minutes).
Click 'Create via command line' for copyable doctl or cURL commands.
8

Alternative: Create with doctl CLI

Install doctl, authenticate with a personal access token, save your user-data file, then run: 
doctl compute droplet create my-droplet --tag-names webserver --image ubuntu-22-04-x64 --region nyc3 --size s-2vcpu-2gb --ssh-keys your:key:fingerprint --user-data-file ./user-data.yaml --enable-ipv6 --enable-monitoring --enable-backups
Replace placeholders with your values.
Use <code>doctl compute ssh-key list</code> to get fingerprints.
9

Create Cloud Firewall

Click Create > Cloud Firewalls. Name it (e.g., 'webserver-firewall'), add inbound rules for SSH (TCP 22), HTTP (80), HTTPS (443) from appropriate sources, and apply to Droplets with your tag (e.g., webserver).
Start restrictive: only allow SSH from your IP, then open web ports.
10

Verify and Connect

Get the Droplet IP from the control panel. Connect as your non-root user: ssh youruser@droplet-ip. Run ufw status and sudo systemctl status ssh to verify setup.

Common Issues & Troubleshooting

SSH connection refused or timeout

Verify SSH key uploaded correctly and selected during creation. Check if firewall blocks port 22. Ensure you're connecting to public IP as non-root user created in user-data.

Droplet creation fails or stuck on progress bar

Check account credits/billing. Verify region/image availability. Try different region or basic plan size. Review API rate limits if using doctl.

'Permission denied' on SSH

Confirm public key matches private key used locally. Regenerate if fingerprint mismatch. Check user-data script properly added key to authorized_keys.

User data script not running

Validate YAML syntax (indentation critical). Use <code>doctl compute droplet-action power-off/on</code> to trigger cloud-init rerun. Check <code>/var/log/cloud-init-output.log</code> after SSH access.

Firewall blocks web traffic after setup

Edit cloud firewall rules to allow TCP 80/443 from 0.0.0.0/0. Verify Droplet tagged correctly and firewall applied. Test with <code>curl -I http://droplet-ip</code>.

Limited Time

Affiliate link. We may earn a commission at no extra cost to you.

Visit DigitalOcean View DigitalOcean Pricing