For AI agents: The documentation index is at https://docs.digitalocean.com/llms.txt. Markdown versions of pages use the same URL with index.html.md in place of the HTML page (for example, append index.html.md to the directory path instead of opening the HTML document).
Inbound firewall rules define the traffic allowed to the server on which ports and from which sources. If no inbound rules are configured, no incoming traffic is permitted.
Outbound firewall rules define the traffic allowed to leave the server and on which ports. If no outbound rules are configured, no outbound traffic is permitted.
The DigitalOcean Cloud Firewall service is a separate firewall from any firewall software running on a Droplet, such as UFW or IPFire. Any rules created using the Cloud Firewall service are not reflected in the firewall software of the Droplets it protects. Additionally, if you are using both the Cloud Firewall service and a Droplet-based firewall software to protect your Droplets, ensure that the rules between the two firewalls do not conflict.
Add, Update, or Remove Rules from a Firewall Using the CLI
The firewall rule management commands require the firewall’s ID. To retrieve a list of firewalls and their IDs, use the doctl compute firewall list command.
How to Add a Rule to a Firewall Using the DigitalOcean CLI
- Install
doctl, the official DigitalOcean CLI.
- Create a personal access token and save it for use with
doctl.
- Use the token to grant
doctl access to your DigitalOcean account.
- Finally, run
doctl compute firewall add-rules. Basic usage looks like this, but you can read the usage docs for more details:
doctl compute firewall add-rules <firewall-id> [flags]
The following example adds an inbound rule and an outbound rule to a cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6:
doctl compute firewall add-rules f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --inbound-rules "protocol:tcp,ports:22,droplet_id:386734086" --outbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0"
How to Update a Firewall’s Rules Using the DigitalOcean CLI
- Install
doctl, the official DigitalOcean CLI.
- Create a personal access token and save it for use with
doctl.
- Use the token to grant
doctl access to your DigitalOcean account.
- Finally, run
doctl compute firewall update. Basic usage looks like this, but you can read the usage docs for more details:
doctl compute firewall update <firewall-id> [flags]
The following example updates a cloud firewall named example-firewall that contains an inbound rule and an outbound rule and applies them to the specified Droplet:
doctl compute firewall update f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --name "example-firewall" --inbound-rules "protocol:tcp,ports:22,droplet_id:386734086" --outbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0" --droplet-ids "386734086,391669331"
How to Remove a Rule From a Firewall Using the DigitalOcean CLI
- Install
doctl, the official DigitalOcean CLI.
- Create a personal access token and save it for use with
doctl.
- Use the token to grant
doctl access to your DigitalOcean account.
- Finally, run
doctl compute firewall remove-rules. Basic usage looks like this, but you can read the usage docs for more details:
doctl compute firewall remove-rules <firewall-id> [flags]
The following example removes an inbound rule and an outbound rule from a cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6:
doctl compute firewall remove-rules f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --inbound-rules "protocol:tcp,ports:22,droplet_id:386734086" --outbound-rules "protocol:tcp,ports:22,address:0.0.0.0/0"
Add, Update, or Remove Rules from a Firewall Using the API
The firewall rule management calls require the firewall’s ID. To retrieve a list of firewalls and their IDs, use the /v2/firewalls firewalls endpoint.
How to Add a Firewall Rule Using the DigitalOcean API
Create a personal access token and save it for use with the API.
cURL
Send a POST request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/rules.
Using cURL:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-d '{"inbound_rules":[{"protocol":"tcp","ports":"3306","sources":{"droplet_ids":[49696269]}}],"outbound_rules":[{"protocol":"tcp","ports":"3306","destinations":{"droplet_ids":[49696269]}}]}' \
"https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/rules"
Go
Using Godo, the official DigitalOcean API client for Go:
import (
"context"
"os"
"github.com/digitalocean/godo"
)
func main() {
token := os.Getenv("DIGITALOCEAN_TOKEN")
client := godo.NewFromToken(token)
ctx := context.TODO()
ruleRequest := &godo.FirewallRulesRequest{
InboundRules: []godo.InboundRule{
{
Protocol: 'tcp',
PortRange: '3306',
Sources: &godo.Sources{
DropletIDs: []int{49696269},
},
},
},
OutboundRules: []godo.OutboundRule{
{
Protocol: 'tcp',
PortRange: '3306',
Destinations: &godo.Destinations{
DropletIDs: []int{49696269},
},
},
},
}
_, err := c.Firewalls.AddRules(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', ruleRequest)
}
Ruby
Using DropletKit, the official DigitalOcean API client for Ruby:
require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)
inbound_rule = DropletKit::FirewallInboundRule.new(
protocol: 'tcp',
ports: '3306',
sources: {
droplet_ids: [49696269]
}
)
outbound_rule = DropletKit::FirewallOutboundRule.new(
protocol: 'tcp',
ports: '3306',
destinations: {
droplet_ids: [49696269]
}
)
client.firewalls.add_rules(inbound_rules: [inbound_rule], outbound_rules: [outbound_rule], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')
Python
Using PyDo, the official DigitalOcean API client for Python:
import os
from pydo import Client
client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))
req = {
"inbound_rules": [
{
"protocol": "tcp",
"ports": "3306",
"sources": {
"droplet_ids": [
49696269
]
}
}
],
"outbound_rules": [
{
"protocol": "tcp",
"ports": "3306",
"destinations": {
"droplet_ids": [
49696269
]
}
}
]
}
resp = client.firewalls.add_rules(firewall_id="39fa4gz", body=req)
How to Update a Firewall’s Rules Using the DigitalOcean API
Create a personal access token and save it for use with the API.
cURL
Send a PUT request to https://api.digitalocean.com/v2/firewalls/{firewall_id}.
Using cURL:
curl -X PUT \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-d '{"name":"firewall","inbound_rules":[{"protocol":"tcp","ports":"8080","sources":{"load_balancer_uids": ["4de7ac8b-495b-4884-9a69-1050c6793cd6"]}},{"protocol": "tcp","ports": "22","sources":{"tags": ["gateway"],"addresses": ["18.0.0.0/8"]}}],"outbound_rules":[{"protocol":"tcp","ports":"8080","destinations":{"addresses":["0.0.0.0/0","::/0"]}}],"droplet_ids":[8043964],"tags":["frontend"]}' \
"https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c"
Go
Using Godo, the official DigitalOcean API client for Go:
import (
"context"
"os"
"github.com/digitalocean/godo"
)
func main() {
token := os.Getenv("DIGITALOCEAN_TOKEN")
client := godo.NewFromToken(token)
ctx := context.TODO()
updateRequest := &godo.FirewallRequest{
Name: 'firewall',
InboundRules: []godo.InboundRule{
{
Protocol: 'tcp',
PortRange: '8080',
Sources: &godo.Sources{
LoadBalancerUIDs: []string{'4de7ac8b-495b-4884-9a69-1050c6793cd6'},
},
},
{
Protocol: 'tcp',
PortRange: '22',
Sources: &godo.Sources{
Addresses: []string{'18.0.0.0/8'},
Tags: []string{'gateway'},
},
},
},
OutboundRules: []godo.OutboundRule{
{
Protocol: 'tcp',
PortRange: '8080',
Destinations: &godo.Destinations{
Addresses: []string{'0.0.0.0/0', '::/0'},
},
},
},
DropletIDs: []int{8043964},
Tags: []string{'frontend'}
}
firewall, req, err := client.Firewalls.Create(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', updateRequest)
}
Ruby
Using DropletKit, the official DigitalOcean API client for Ruby:
require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)
firewall = DropletKit::Firewall.new(
name: 'firewall',
inbound_rules: [
DropletKit::FirewallInboundRule.new(
protocol: 'tcp',
ports: '8080',
sources: {
load_balancer_uids: ['4de7ac8b-495b-4884-9a69-1050c6793cd6']
}
),
DropletKit::FirewallInboundRule.new(
protocol: 'tcp',
ports: '22',
sources: {
tags: ['gateway'],
addresses: ['18.0.0.0/8']
}
)
],
outbound_rules: [
DropletKit::FirewallOutboundRule.new(
protocol: 'tcp',
ports: '8080',
destinations: {
addresses: ['0.0.0.0/0', '::/0'],
}
)
],
droplet_ids: [8043964],
tags: ['frontend']
)
client.firewalls.update(firewall, id: 'bb4b2611-3d72-467b-8602-280330ecd65c')
Python
Using PyDo, the official DigitalOcean API client for Python:
import os
from pydo import Client
client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))
req = {
"name": "frontend-firewall",
"inbound_rules": [
{
"protocol": "tcp",
"ports": "8080",
"sources": {
"load_balancer_uids": [
"4de7ac8b-495b-4884-9a69-1050c6793cd6"
]
}
},
{
"protocol": "tcp",
"ports": "22",
"sources": {
"tags": [
"gateway"
],
"addresses": [
"18.0.0.0/8"
]
}
}
],
"outbound_rules": [
{
"protocol": "tcp",
"ports": "8080",
"destinations": {
"addresses": [
"0.0.0.0/0",
"::/0"
]
}
}
],
"droplet_ids": [
8043964
],
"tags": [
"frontend"
]
}
resp = client.firewalls.update(firewall_id="3afda9", body=req)
How to Delete a Firewall Rule Using the DigitalOcean API
Create a personal access token and save it for use with the API.
cURL
Send a DELETE request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/rules.
Using cURL:
curl -X DELETE \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
-d '{"inbound_rules":[{"protocol":"tcp","ports":"3306","sources":{"droplet_ids":[49696269]}}],"outbound_rules":[{"protocol":"tcp","ports":"3306","destinations":{"droplet_ids":[49696269]}}]}' \
"https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/rules"
Go
Using Godo, the official DigitalOcean API client for Go:
import (
"context"
"os"
"github.com/digitalocean/godo"
)
func main() {
token := os.Getenv("DIGITALOCEAN_TOKEN")
client := godo.NewFromToken(token)
ctx := context.TODO()
ruleRequest := &godo.FirewallRulesRequest{
InboundRules: []godo.InboundRule{
{
Protocol: 'tcp',
PortRange: '3306',
Sources: &godo.Sources{
DropletIDs: []int{49696269},
},
},
},
OutboundRules: []godo.OutboundRule{
{
Protocol: 'tcp',
PortRange: '3306',
Destinations: &godo.Destinations{
DropletIDs: []int{49696269},
},
},
},
}
_, err := c.Firewalls.RemoveRules(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', ruleRequest)
}
Ruby
Using DropletKit, the official DigitalOcean API client for Ruby:
require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)
inbound_rule = DropletKit::FirewallInboundRule.new(
protocol: 'tcp',
ports: '3306',
sources: {
droplet_ids: [49696269]
}
)
outbound_rule = DropletKit::FirewallOutboundRule.new(
protocol: 'tcp',
ports: '3306',
destinations: {
droplet_ids: [49696269]
}
)
client.firewalls.remove_rules(inbound_rules: [inbound_rule], outbound_rules: [outbound_rule], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')
Python
Using PyDo, the official DigitalOcean API client for Python:
import os
from pydo import Client
client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))
req = {
"inbound_rules": [
{
"protocol": "tcp",
"ports": "3306",
"sources": {
"droplet_ids": [
49696269
]
}
}
],
"outbound_rules": [
{
"protocol": "tcp",
"ports": "3306",
"destinations": {
"droplet_ids": [
49696269
]
}
}
]
}
resp = client.firewalls.delete_rules(firewall_id="39fa4gz", body=req)
Add or Remove Rules from a Firewall Using the Control Panel
To manage a firewall’s rules, click Networking in the main menu, then click Firewalls. Click the firewall’s name to go to its Rules tab. On the Rules tab, you can create new rules and edit or delete existing rules.
When more than one firewall is applied to a Droplet, the rules are additive and cannot be restricted again with other rules.
Create New Rules
To create an inbound rule, click Add inbound rule in the Inbound rules section. To create an outbound rule, click Add outbound rule in the Outbound rules section. Each opens a window where you can use a preset rule type or define a custom rule.
You can only define firewall rules to restrict traffic to and from ports based on connection types, sources, and destinations. You cannot define a rule to restrict traffic based on HTTP headers, such as X-Forwarded-For, Content-Type, or User-Agent.
From Presets
The Type drop-down includes presets for common protocols, such as SSH, HTTP, and HTTPS. Selecting a preset fills the Protocol and Port fields automatically. For example, selecting HTTP sets Protocol to TCP and Port to 80. If a service listens on a non-standard port, use a custom rule instead.
Custom Rules
To add a custom rule, set Type to Custom. You can then define the protocol, port range, and source or destination. For a custom rule, specify the:
-
Protocol. Choose either TCP or UDP. Because ICMP has no port abstraction, allow ICMP traffic by selecting ICMP from the Type drop-down instead.
-
Port. For the TCP and UDP protocols, you can specify:
- A single port.
- A range of ports by entering the starting and ending ports separated by a dash
- with no spaces, such as 3000-4000. To open multiple non-sequential ports, create a separate rule for each.
- All ports by leaving the field blank.
-
Sources for inbound rules, which restrict the source of incoming connections. By default, the field is pre-populated with All IPv4 and All IPv6. Click x next to a chip to remove it, or clear all to remove all defaults. You can restrict incoming connections to:
- Resources or tags by searching the name of the resource or tag. This includes Droplets, load balancers, VPCs, Kubernetes clusters, and resource tags.
- IP addresses or IP ranges by entering individual IP addresses or a CIDR. For example, the CIDR
10.128.0.0/16 allows incoming traffic from any IP address between 10.128.0.0 and 10.128.255.255. The same applies to IPv6 addresses and CIDRs.
- Types of IP addresses by choosing All IPv4 or All IPv6. This allows all IP addresses of that type to connect to the Droplet. If you are using the API, enter
0.0.0.0/0 (IPv4) or ::/0 (IPv6) into the addresses field of the sources object.
-
Sources for outbound rules, which restrict where outgoing connections can go. The field is labeled Sources in both inbound and outbound rule windows and accepts the same values described above.
You can limit the sources to:
- Droplets, by name, IP address, or tag.
- DigitalOcean load balancers, by name, IP address, or tag.
- DigitalOcean Kubernetes clusters, by name or tag.
- Non-DigitalOcean servers, by IP address, subnet, or CIDR range.
When you have set the type, port, and sources, click Add inbound rule or Add outbound rule to save the rule.
Edit or Delete Rules
To edit or delete a rule, click the … (More) menu on the right of the rule and choose Edit rule or Delete rule. When you select Delete rule, the rule is deleted immediately without an additional confirmation prompt.