Any other digital ocean server in the same datacenter can hit your private IP.

Would you consider that to be a big enough risk to not deploy production apps in their environment? I.e. having your app on 1 droplet and a dedicated db on another. I'm new to ops and trying to learn all that I can :)

I do this in prod, you just need to take extra steps to protect. i.e. make a firewall rule on the database to only allow access to the database port on your private network card, from your specific web IPs (and make sure the traffic is encrypted).

I'd probably create static ARP entries as well.

Thanks for the info!

It's private as in only for customers (not exposed to the internet), not private as in only for you.