Skip to content

Network Features

Backend Transfer

All servers within a Project can talk to each other via private RFC1918 address space (e.g. 10.x.x.x), but cannot communicate over private address space with devices outside of that Project. This is also referred to as "backend" networking.

This feature ensures that when you're communicating between servers, you are able to do so in a private / secure manner without needing to worry about establishing VPN tunnels or sending data over the public internet.

The only restriction is that all servers must be within a single project.

Backend transfer within a facility is always free, since no bandwidth leaves the datacenter. When transferring data our global facilities, we have to move that traffic across our network. As such, bandwidth is billed on a usage basis at a reduced rate of $0.03/GB. There are no monthly or other fees associated with Global Backend Transfer - just the cost of sending data between facilities.

In the client portal, browse to the IPs & Networks page, and then the Backend Transfer tab, for the project you wish to enable backend transfer on, and then click the toggle icon in the upper right-hand corner.

enable backend transfer

Backend transfer will be enabled on your project immediately, although you may have to wait up to 1 minute for backend connectivity to be established.


Doorman is a VPN (virtual private network) service that helps to secure traffic between you and your servers for management purposes. This is not a VPN solution between servers for web traffic.

To leverage Doorman, you’ll need to follow the following steps. You will need to have Two Factor Authentication (2FA) enabled via the Equinix Metal app. To enable 2FA, simply log in to the Equinix Metal Portal, then go to "Settings" > "Security" where you will find the option to enable 2FA under Set Up Using an App.

You can use your favorite 2FA app, as long as is supports Time-based One-time Password Algorithm (TOTP) which is an open standard. Example: Google Authenticator, Authy, Duo Security, should all work fine.

Once you have 2FA enabled, a new option will be visible, Equinix Metal Customer VPN.

After you turn it on, you will see the option to download the OpenVPN configuration files for each of Equinix Metal’s facilities.

download VPN configuration

After downloading the config files, you can use them with your preferred app. The login credentials will be:




If the portal password is "pmetal-rocks-2017" and the 2-factor token you generate is "123456", when logging into the VPN, your password would be “123456metal-rocks-2017”.

Once the connection is successful, you will be able to ping your server’s Private IPs, as well as connect via SSH.

ssh root@
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-47-generic x86_64)

Native VLAN

Native VLAN feature enables support for untagged packets when multiple VLANs are configured on the server port.

When multiple VLANs are configured on the server port, the Native VLAN feature allows assigning one of the VLANs as native VLAN, so the packets destined for the native VLAN will always go out as untagged packets. Similarly, when the server port receives packets that are untagged, it will automatically be construed as belonging to native VLAN. This is currently supported only on non-bonded interfaces.

The Native VLAN feature is supported on servers with the 2-port NIC. Upon provisioning, all servers are set to the Layer 3 networking mode by default. The 2-port NIC is configured with a single bond, namely bond0, with both interfaces eth0 and eth1 as members of the bond. Support for this feature on 4-port NIC server such as n2.xlarge.x86 is planned.

Assigning VLANs onto the server, the server network mode needs to be changed to either Layer-2 only on Mixed Layer 2/Layer 3. In the Layer-2 only mode, VLANs can be assigned to either of the interfaces, with one of the VLANs marked as "native". But, in the mixed Layer 2/Layer 3 mode, VLANs can be assigned to only the eth1 interface which is outside of the bond0 interface.

In order to set a VLAN as "native", click on the "Manage"; button next to it and follow the instructions.

assign VLAN

manage VLAN

set to native VLAN

The native VLAN feature is also supported through the API