LightYear
/Docs
DocsNetworkingSet Up a Private VPC Network

Set Up a Private VPC Network

Create a private network to enable secure communication between your servers without exposing traffic to the internet.

intermediate
8 min read
LightYear Docs Team
Updated April 24, 2026
vpcprivate-networknetworkingsecurity
Ready to get started?

Networking Topology Diagram

A VPC (Virtual Private Cloud) network allows your servers to communicate over a private, isolated network without traffic traversing the public internet. This is essential for database servers, internal APIs, and multi-tier application architectures.

Step 1 — Create a VPC Network

  1. Navigate to Networking → VPC Networks.
  2. Click Create VPC Network.
  3. Select a region (servers must be in the same region to join the same VPC).
  4. Enter a CIDR block (e.g., 10.0.1.0/24 for up to 254 hosts).
  5. Enter a description (e.g., production-backend).
  6. Click Create.

Step 2 — Attach Servers to the VPC

  1. Navigate to Servers → Your Server → Settings.
  2. Under VPC Networks, click Add Network.
  3. Select your VPC network.
  4. Click Save.

The server will be assigned a private IP from the VPC CIDR range (e.g., 10.0.1.10).

Step 3 — Verify Private Connectivity

From one server, ping another server's private IP:

>_BASH
$ping 10.0.1.11
OUTPUT
PING 10.0.1.11 (10.0.1.11) 56(84) bytes of data.
64 bytes from 10.0.1.11: icmp_seq=1 ttl=64 time=0.312 ms
64 bytes from 10.0.1.11: icmp_seq=2 ttl=64 time=0.298 ms

The sub-millisecond latency confirms traffic is flowing over the private network.

Step 4 — Configure MySQL to Listen on Private IP

On your database server, edit the MySQL configuration:

>_BASH
$nano /etc/mysql/mysql.conf.d/mysqld.cnf
INI
[mysqld]
bind-address = 10.0.1.11
>_BASH
$systemctl restart mysql

Grant access to the application server's private IP:

>_BASH
$mysql -u root -p
SQL
CREATE USER 'appuser'@'10.0.1.10' IDENTIFIED BY 'SecurePassword!';
GRANT ALL PRIVILEGES ON myapp.* TO 'appuser'@'10.0.1.10';
FLUSH PRIVILEGES;

Step 5 — Update Firewall Rules

On the database server's firewall group, add a rule to allow MySQL only from the private network:

ProtocolPortSourceDescription
TCP330610.0.1.0/24MySQL from VPC

Remove any public-facing MySQL rules.

[!IMPORTANT] Never expose MySQL, PostgreSQL, or Redis ports to the public internet. Always use private networking for inter-server database connections.

VPC Best Practices

  • Use separate VPC networks for different environments (production, staging, development)
  • Assign meaningful CIDR blocks that do not overlap (e.g., 10.0.1.0/24 for prod, 10.0.2.0/24 for staging)
  • Document your network topology — a simple diagram saves hours of debugging

Was this article helpful?

Your cookie choices for this website

This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, and enhanced user experience. You may choose to consent to our use of these technologies, or manage your own preferences. Cookie policy