VPC & private network

Every project on Metalhost is a single VPC — one private layer-2 network that all of the project's VMs share. There's nothing to create or wire up: the VPC is provisioned automatically with your first VM, and every VM you launch afterward joins it.

One project, one VPC

We deliberately keep this simple. A project is a network boundary, so there's exactly one VPC per project and you don't manage a separate list of networks, route tables, or gateways. VMs in the same project can reach each other over a private IPv4 /24 the moment they boot. VMs in different projects are fully isolated — there's no cross-project private traffic.

• Private IPv4 /24 — each VM gets a stable private address that persists across stop/start, restart, and resize.
• Auto-provisioned — the first VM in a fresh project provisions the VPC; that's part of why the first launch takes a little longer.
• Isolated — no traffic crosses between projects, ever.

East-west traffic (VM ↔ VM)

By default, any VM in the project can talk to any other VM over the private network on any port. That's the friendly default for getting started. When you want to lock it down — say, only let your app tier reach your database on 5432 — you attach security groups. A VM with no security groups talks freely; the moment it has one, it's default-deny on the private NIC except for what its groups allow.

Reaching the internet

Public connectivity is configured per VM, not on the VPC:

• Public IPv6 — every VM gets a free, routable IPv6 address unless you mark it private-only. See Public IPv6.
• Public IPv4 — optional, billed per address, opt-in at create time. See Public IPv4.
• Inbound from the internet is gated by the per-VM firewall (default-deny, SSH seeded).
• Outbound works even with no public IP — a private-only VM still reaches the internet (apt, package fetches, API calls) through NAT.

Where to see it

Settings → Networks shows the VPC for each of your projects: its datacenter, private subnet, and state. It's a read-only survey — there's nothing to configure, since one-per-project is the whole model.

Disks and file shares

Block disks and file shares live in the same project + datacenter as the VMs that use them. A disk attaches to VMs in its project; a file share mounts from any VM in the project over the private network.

What's next

• Security groups — segment east-west traffic.
• Firewall rules — gate inbound from the internet.
• Public IPv6 & Public IPv4.
• Go SDK — Network.