Firewalls Limits

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

  • You can have a maximum of 10 Droplets per firewall and 5 tags per firewall. If you have more than 10 Droplets that need the same firewall, tag the Droplets, then add that tag to the firewall.

  • Each firewall can have up to 50 total incoming and outgoing rules.

  • You cannot apply cloud firewalls to load balancers.

  • Firewalls affect both public and VPC network traffic. Rules specific to either must specify the public or private IP range.

  • Firewalls only support ICMP, TCP, and UDP.

  • Firewalls block traffic at the network layer before that traffic reaches your resources. Because of this, traffic logs are not available.

  • Adding new rules to a firewall will not terminate existing connections.

  • Firewall rules are limited to 1000 entries in the Sources or Destinations field. To filter more than 1000 IPs, use tags or network ranges instead of listing individual IPs. More information is available in How to Configure Firewall Rules.

  • DigitalOcean uses DHCP on port 67 to configure networking for Droplets using custom images. If you put a Droplet created from a custom image behind a firewall, including a DIgitalOcean Cloud Firewall, you need to create an outbound UDP rule that opens port 67.