DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.
DigitalOcean Cloud Firewalls are available at no additional cost.
Cloud firewalls are available in every region. A cloud firewall’s rules can include Droplets from any data center.
Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. Firewalls can be host-based, which are configured on a per-server basis using services like IPTables or UFW. Others, like DigitalOcean Cloud Firewalls, are network-based and stop traffic at the network layer before it reaches the server.
You can apply cloud firewall rules to individual Droplets, but a more powerful option is to use tags. Tags are custom labels that you can apply to Droplets and other DigitalOcean resources. When you add a tag to a firewall, any Droplets with that tag are automatically included in the firewall configuration.
You can have a maximum of 10 Droplets per firewall and 5 tags per firewall. If you have more than 10 Droplets that need the same firewall, tag the Droplets, then add that tag to the firewall.
Each firewall can have up to 50 total incoming and outgoing rules.
You cannot apply cloud firewalls to load balancers.
Firewalls affect both public and VPC network traffic. Rules specific to either must specify the public or private IP range.
Firewalls support only ICMP, TCP, and UDP.
Firewalls block traffic at the network layer before that traffic reaches your resources. Because of this, traffic logs are not available.
On Kubernetes 1.19 and later we now provision two fully-managed firewalls for each new Kubernetes cluster. One firewall manages the connection between worker nodes and control plane, and the other manages connections between worker nodes and the public internet.
For more information, see all Cloud Firewalls release notes.