DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.
You can create a new cloud firewall from the control panel, the API, or the CLI.
To create a firewall from the control panel, use the firewall creation page.
To create a firewall from the API, use the
To create a firewall from the CLI, use
doctl compute firewall create.
When you create a firewall, you need to specify its name, its inbound and outbound rules, and which Droplets the firewall rules apply to.
Inbound firewall rules define what traffic to allow to the server, on which ports, and from which sources. If you do not configure inbound rules, the server does not allow any incoming traffic.
The suggested inbound rule in the control panel allows SSH connections on port 22 from anywhere so you can administer any Droplets behind this firewall from a terminal:
Outbound firewall rules define what traffic to allow to leave the server, on which ports, and to which destinations. If you do not configure outbound rules, the server does not allow any outbound traffic.
The suggested outbound rules in the control panel permit all traffic to any destination on any port to make it easier to set up a new server because many fundamental services rely on outbound connection:
You can choose to apply the firewall rules to individual Droplets by name or by tag. Using tags lets you apply firewalls rules to Droplets as you create them and simplifies managing your Droplets in bulk.