DigitalOcean Cloud Firewalls don’t actually block traffic at the Droplet; they filter it before it ever reaches your Droplet’s network interface.
Let’s say you have a Droplet running a web server and you want to allow HTTP and HTTPS traffic. Here’s how you’d set that up.
First, navigate to the "Networking" section in your DigitalOcean control panel and select "Cloud Firewalls." Click "Create Firewall."
You’ll be prompted to give your firewall a name. Let’s call this one my-webserver-firewall.
Now, you’ll configure the inbound rules. This is where you specify what traffic is allowed into your Droplets.
For our web server, we need to allow HTTP (port 80) and HTTPS (port 443).
Under "Inbound Rules," click "Add Rule." Select "HTTP" from the dropdown for the protocol. For the "Sources," you can choose "All IPv4" and "All IPv6" if you want to allow HTTP traffic from anywhere on the internet. If you have a more specific need, like only allowing traffic from a particular IP address or range, you could enter that here. Click "Add Rule" again. Select "HTTPS" from the dropdown. Again, for "Sources," choose "All IPv4" and "All IPv6." Click "Add Rule."
You’ve now allowed incoming HTTP and HTTPS traffic. What about other traffic? By default, if a rule doesn’t explicitly allow traffic, it’s denied. So, to be explicit about denying everything else, you can add a "deny all" rule, although this is often implicit. However, it’s good practice to be aware of what’s not allowed.
Next, you need to apply this firewall to your Droplet(s). Under "Apply to Droplets," select the Droplet(s) you want this firewall to protect. For our example, you’d select your my-webserver-droplet.
You can also configure "Outbound Rules." These control what traffic your Droplet is allowed to initiate out to the internet. For a standard web server, you usually want to allow all outbound traffic so it can fetch updates, reach external APIs, etc.
Under "Outbound Rules," click "Add Rule." Select "All TCP" from the dropdown. For "Destinations," choose "All IPv4" and "All IPv6." Click "Add Rule" again. Select "All UDP" from the dropdown. For "Destinations," choose "All IPv4" and "All IPv6." Click "Add Rule" again. Select "All ICMP" from the dropdown. For "Destinations," choose "All IPv4" and "All IPv6."
This allows your Droplet to communicate freely outbound.
Once you’ve set up your inbound and outbound rules and applied the firewall to your Droplet, click "Create Firewall."
Now, let’s look at a more complex example. Suppose you want to allow SSH (port 22) but only from your home IP address, and also allow HTTP/HTTPS from anywhere.
You’d create a new firewall, let’s call it ssh-and-web-firewall.
Inbound rules:
- Protocol: "SSH" (or TCP, port 22). Sources: Enter your home’s public IP address (e.g.,
203.0.113.5/32). This/32is CIDR notation for a single IP. - Protocol: "HTTP" (or TCP, port 80). Sources: "All IPv4" and "All IPv6."
- Protocol: "HTTPS" (or TCP, port 443). Sources: "All IPv4" and "All IPv6."
Outbound rules would likely remain similar to the previous example, allowing all outbound traffic.
You can also use tags to apply firewalls to multiple Droplets at once. If you tag your web server Droplets with webserver, you can select that tag when applying the firewall, and any Droplets with the webserver tag will automatically have this firewall applied. If you later create a new Droplet and tag it webserver, the firewall will be applied automatically.
The real power comes from combining these rules. For instance, you might have a database Droplet that should only accept connections from your application server Droplets.
You’d create a firewall, say db-firewall.
Inbound rules:
- Protocol: "Custom" (TCP, port 3306 for MySQL). Sources: You’d use the private IP address range of your VPC, or more specifically, the IP addresses of your application server Droplets if they are static or assigned via DHCP reservations. For example, if your app servers are in
10.10.0.0/24, you’d set the source to10.10.0.0/24.
This db-firewall would then be applied only to your database Droplet. Your application server Droplets would have a different firewall, perhaps app-firewall, that allows outbound connections to 3306 on the database Droplet’s private IP.
One of the most common mistakes is forgetting to allow ICMP (Internet Control Message Protocol). This protocol is used for essential network diagnostics like ping and traceroute. If you block all ICMP, you won’t be able to ping your Droplet, which can make troubleshooting connectivity issues much harder. It’s generally safe to allow all ICMP inbound and outbound unless you have a very specific security requirement.
If you find you can’t SSH into your Droplet after applying a firewall, the first thing to check is your inbound SSH rule. Ensure it’s set to TCP, port 22, and that the source IP address is correct. If you’re connecting from a dynamic IP, you might need to update the source IP periodically or use a VPN.
After setting up your firewall, the next thing you’ll likely encounter is troubleshooting why a specific application port isn’t accessible.