DigitalOcean Pocket Book

DigitalOcean Pocket Book — Uplatz

50 deep-dive flashcards • Wide layout • Fewer scrolls • 20+ Interview Q&A • Readable code examples

Section 1 — Fundamentals

1) What is DigitalOcean?

DigitalOcean is a developer-friendly cloud provider offering simple, affordable compute (Droplets), managed Kubernetes, databases, storage, networking, and serverless. It focuses on ease of use, predictable pricing, and fast provisioning — great for startups, SMBs, prototypes, and indie projects.

# Install CLI
brew install doctl
doctl auth init

2) Why DigitalOcean? Core Strengths & Tradeoffs

Strengths: simplicity, transparent pricing, quick setup, global data centers, managed services. Tradeoffs: fewer enterprise bells/whistles than hyperscalers, smaller region footprint, limited proprietary analytics. Mitigate with open-source tooling and multi-cloud-friendly designs.

# List regions, sizes
doctl compute region list
doctl compute size list

3) Account, Teams & Projects

Group resources into Projects with access via Teams. Use separate projects for environments (dev/stage/prod). Apply tags for billing, automation, and cleanup scripts.

# Tag resources
doctl compute droplet tag add web-1 --tag-names prod,web

4) Droplets (VMs)

Droplets are virtual machines with different plans: Basic, CPU-Optimized, Memory-Optimized, Premium AMD/Intel. Cloud-init user data supports bootstrapping. Snapshots/backups provide recovery.

doctl compute droplet create web-1 \
  --region nyc3 --size s-1vcpu-2gb --image ubuntu-22-04-x64 \
  --ssh-keys <fingerprint>

5) DO vs Hyperscalers

DO is lean and focused: fast to learn, excellent docs, stable pricing. Hyperscalers offer more managed analytics/ML and global services. Choose DO for web apps, APIs, small data, cost control; go hyperscaler for complex enterprise ecosystems.

# Compare instance hourly cost in billing dashboard

6) Images & Marketplace

Start from base images or Marketplace apps (LEMP, WordPress, Docker, OpenVPN). Create custom images from snapshots or upload via external URLs.

doctl compute image list-distribution
doctl compute image list-application

7) Access & SSH

Use SSH keys, disable password login, restrict root via sudo. Add keys at account level or per Droplet. Rotate keys and audit access regularly.

ssh root@<droplet-ip>
adduser deploy && usermod -aG sudo deploy

8) Pricing & Billing

Per-hour pricing with monthly caps, predictable bandwidth allocations, and flat fees for managed services. Monitor invoices, set alerts, and tag resources for spend tracking.

# Estimate monthly costs by size x hours + storage + egress

9) API & Terraform

Automate via REST API, doctl, and Terraform provider. Codify infrastructure for reproducibility, review, and rollback.

terraform {
  required_providers { digitalocean = { source = "digitalocean/digitalocean" } }
}

10) Q&A — “When choose DO over others?”

Answer: When speed, simplicity, and cost predictability matter more than a vast catalog of niche services — e.g., web apps, APIs, micro-SaaS, MVPs, and startups watching burn rate.

Section 2 — Networking, Security & Delivery

11) VPC & Private Networking

Each project can have one or more VPCs. Droplets in the same VPC communicate via private IPs. Use VPC for isolation, internal services, and reduced egress cost.

doctl vpcs create my-vpc --region lon1 --ip-range 10.10.0.0/16

12) Firewalls

Managed firewall rules apply to Droplets by tags. Restrict inbound to 80/443/22 or specific ports; allow outbound as needed. Always least privilege.

doctl compute firewall create \
  --inbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0" \
  --tag-names web

13) Load Balancers

Managed L4/L7 load balancers support HTTPS termination, sticky sessions, health checks, and LetsEncrypt certificates. Attach by Droplet tags.

doctl compute load-balancer create \
  --name app-lb --region fra1 --forwarding-rules entry_protocol:https,entry_port:443,target_protocol:http,target_port:3000 \
  --health-check protocol:http,port:3000,path:/health \
  --tag-names web

14) Floating IPs

Reserve static public IPs that can be reassigned across Droplets for failover or blue/green deployments. Keep DNS aligned to reduce cutover time.

doctl compute floating-ip assign <ip> <droplet-id>

15) DNS & Domains

Use DO DNS to manage records. Automate A/AAAA/CNAME/TXT entries and ACME challenges. Keep TTLs reasonable for rollouts.

doctl compute domain create example.com
doctl compute domain records create example.com --record-type A --record-name @ --record-data <ip>

16) Certificates

Provision free certificates and attach to load balancers or App Platform. Automate renewals; enforce HTTPS redirects.

doctl compute certificate create --type lets_encrypt --name www-cert --dns-names "example.com,www.example.com"

17) CDN & Caching

Enable CDN on Spaces (object storage) for global acceleration. Add cache rules and versioned assets. Consider App Platform edge caching for static content.

# Toggle CDN for a Space via control panel or API

18) NAT Gateways & Egress

For private-only Droplets pulling updates from internet, place a NAT instance or route through load balancer. Monitor egress usage and costs.

# Use a tiny NAT droplet with iptables/ufw rules in the VPC

19) Observability Endpoints

Keep /health and /ready endpoints for load balancers and uptime checks. Return clear JSON and proper status codes.

{"ok":true,"uptime":123,"version":"1.2.3"}

20) Q&A — “LB vs Floating IP?”

Answer: Use an LB for scaling, SSL offload, and health checks. Floating IPs swap traffic to one VM quickly but don’t provide distribution or TLS termination.

Section 3 — Compute, Containers, Storage & Data

21) App Platform (PaaS)

Deploy from Git or container images with autoscaling, SSL, rollbacks, and zero-downtime deploys. Good default for simple apps and APIs.

# app.yaml snippet
name: my-app
services:
  - name: web
    github:
      repo: org/repo
      branch: main
    run_command: "npm start"

22) Kubernetes (DOKS)

Managed Kubernetes with control plane included. Node pools, autoscaling, integrated load balancers, CSI for volumes, and Container Registry integration.

doctl kubernetes cluster create my-eks \
  --region ams3 --version 1.29.0-do.0 --node-pool "name=apps;count=3;size=s-2vcpu-4gb"

23) Registry

Private container registry hosted by DO. Authenticate via doctl/docker and bind to DOKS or App Platform for seamless pulls.

doctl registry create my-reg
doctl registry login
docker tag app registry.digitalocean.com/my-reg/app:1.0

24) Functions (Serverless)

Event-driven functions with per-request billing. Great for hooks, scheduled jobs, and lightweight APIs. Bundle minimal dependencies.

doctl serverless install
doctl serverless deploy .

25) Volumes (Block Storage)

Attach SSD volumes to Droplets for persistent storage. Resize online, snapshot regularly, and mount with fstab.

doctl compute volume create data-1 --size 100GiB --region sfo3

26) Spaces (Object Storage)

S3-compatible object storage with optional CDN. Use for static assets, backups, and logs. Manage via S3 SDKs or s3cmd.

s3cmd --configure
s3cmd put dist/* s3://my-space/

27) Managed Databases

Fully managed PostgreSQL, MySQL, Redis. Automated backups, PITR (PG), metrics, and one-click read replicas. Restrict to VPC and rotate credentials.

doctl databases create mydb --engine pg --num-nodes 1 --region nyc3

28) Backups & Snapshots

Enable Droplet backups for weekly restore points; use snapshots for ad hoc images and cloning. Store critical backups offsite in Spaces.

doctl compute droplet-action snapshot <id> --snapshot-name pre-deploy

29) Images & Builds

Bake base images with hardened configs (CIS), preinstalled agents, and app dependencies. Keep images updated and rebuild monthly.

# cloud-init user-data
packages: [nginx, fail2ban]

30) Q&A — “App Platform vs DOKS?”

Answer: App Platform for simplicity and managed deployments. DOKS when you need Kubernetes flexibility, custom operators, or multi-service meshes.

Section 4 — CI/CD, Security, Monitoring & SRE

31) CI/CD Pipelines

Use GitHub Actions/GitLab CI with doctl, registry pushes, and App Platform deploy hooks. Keep environments as code and promote via tags.

- name: Deploy
  run: doctl apps create-deployment <app-id>

32) Secrets Management

Store secrets in App Platform, DOKS (sealed-secrets/external-secrets), or environment variables restricted to VPC services. Rotate keys regularly.

kubectl create secret generic app-secrets --from-literal=DB_URL=...

33) OS Hardening

Harden Droplets: automatic security updates, firewall/ufw, fail2ban, non-root users, SSH key-only access, and minimal packages. Audit with Lynis.

ufw allow 22,80,443/tcp
ufw enable

34) Monitoring & Alerts

Enable DO Monitoring agent for CPU, RAM, disk, network. Set alerts for thresholds and outages. Export to Prometheus/Grafana if on DOKS.

# Install metrics agent from control panel or cloud-config

35) Logs

Ship logs to Spaces, external providers, or ELK/Opensearch. For DOKS, deploy fluent-bit/Vector DaemonSets with index lifecycle policies.

helm install fluent-bit fluent/fluent-bit -n logging

36) SLOs & Dashboards

Define latency/error-rate SLOs and visualize with Grafana or App Platform metrics. Alert on burn rates and budget thresholds.

SLO: p99 < 300ms, error_rate < 1%

37) Resilience & HA

Spread across multiple Droplets/regions where needed; use LBs, health checks, and managed DB read replicas. Test failover and restore runbooks.

# Simulate failure and verify auto-healing actions

38) Security Scans

Scan images and Droplets for CVEs (Trivy, Grype), keep packages updated, and track SBOMs. Automate scans in CI and block deploys on high severity.

trivy image registry.digitalocean.com/my-reg/app:1.0

39) Compliance & Backups

Meet policy requirements with regular snapshots, offsite backups to Spaces, encryption in transit/at rest, and access logs. Document RTO/RPO.

RPO: 4h, RTO: 30m — verify quarterly

40) Q&A — “Best way to ship secrets?”

Answer: Avoid baking secrets into images. Use App Platform env vars, DOKS secrets with encryption, or external secret managers; rotate and limit scope per environment.

Section 5 — Operations, Cost, Troubleshooting & Interview Q&A

41) Cost Controls

Right-size Droplets, use Basic plans for dev, shut down idle resources, leverage App Platform autoscaling, and cache with Spaces+CDN to reduce egress.

# Find large volumes/images/snapshots for cleanup

42) Governance

Enforce naming/tagging conventions, per-project access, and least-privilege API tokens. Use audit logs, SSO (where available), and PR reviews for IaC changes.

doctl auth init --context ci-deploy

43) Incident Response

Maintain runbooks: isolate Droplet, rotate keys, restore from snapshot, scale via LB. Postmortem with blameless culture and remediation items.

doctl compute droplet-action power-off <id>

44) Migration & Imports

Migrate from other clouds via snapshots, rsync, or container images. For DBs, use managed import tools and logical replication where supported.

pg_dump | psql <managed-do-postgres-uri>

45) Troubleshooting Playbook

Check health checks, LB status, Droplet metrics, journal logs, firewall rules, DNS TTLs, and TLS expiration. Roll back using snapshots or App Platform previous deploy.

journalctl -u app.service --since "10 min ago"

46) Performance Tips

Enable keep-alive, HTTP/2, compression; pool DB connections; use Redis/edge caching; pin CPU-Optimized for consistent compute; profile hot endpoints.

# Nginx gzip/brotli + caching headers

47) Reliability Patterns

Graceful shutdown, readiness gates, retries with jitter, circuit breakers, idempotency keys, and blue/green rollouts via LB + tags.

# Example: drain connections before shutdown

48) Production Checklist

SSH keys & firewalls locked down
LB health checks & SSL certs auto-renew
Backups/snapshots & restore tested
Monitoring & alerting on SLOs
IaC with tags & peer review
Cost dashboard & budget alerts

49) Common Pitfalls

No VPC isolation, open SSH to the world, forgetting backups, oversizing Droplets, ignoring egress costs, and manual snowflake servers. Fix with policies, automation, and reviews.

50) Interview Q&A — 20 Practical Questions (Expanded)

1) Why choose DigitalOcean? Simplicity, speed, and predictable pricing for web apps and startups.

2) Droplet vs App Platform? Control vs convenience; VM flexibility vs managed PaaS.

3) How to load balance? Managed LB with health checks, SSL, sticky sessions.

4) Secure a Droplet? SSH keys only, ufw, updates, non-root users, fail2ban.

5) DOKS advantages? Managed control plane, easy node pools, DO integration.

6) Spaces usage? Static assets, backups, logs; S3-compatible + CDN.

7) Managed DB benefits? Backups, updates, replicas, metrics, high availability.

8) Blue/green strategy? Two tagged droplet groups behind LB + Floating IP fallback.

9) Cost optimization tips? Right-size, auto-scale, clean snapshots, use CDN.

10) Secrets handling? App Platform env vars, K8s secrets, rotation.

11) Backups vs snapshots? Automated schedule vs manual point-in-time images.

12) VPC benefits? Isolation, private traffic, reduced egress, security.

13) Registry role? Stores private images for App Platform/DOKS.

14) Monitoring setup? DO agent, alerts, Grafana/Prometheus on DOKS.

15) Incident response steps? Isolate, roll back, restore, rotate, postmortem.

16) Terraform best practices? Modules, workspaces, tags, state backend.

17) Scaling read traffic? LB + caching + DB read replicas.

18) CI/CD pattern? Build, scan, push to registry, deploy via doctl.

19) Multi-region? Replicate components, DNS failover, data strategy.

20) Observability must-haves? Logs, metrics, traces, SLOs, alerts, dashboards.

Cutting-edge Technology Courses by Uplatz