How to Create Firewalls

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.


Create a Firewall Using the CLI

You can provide the --droplet-ids flag a list of Droplet IDs to automatically assign existing Droplets to a firewall during its creation. To retrieve a list of Droplets and their IDs, use the doctl compute droplet list command.

How to create a firewall using the DigitalOcean CLI

To create a firewall via the command-line, follow these steps:

  1. Install doctl, the DigitalOcean command-line tool.

  2. Create a personal access token, and save it for use with doctl.

  3. Use the token to grant doctl access to your DigitalOcean account.

                  doctl auth init
                
  4. Finally, create a firewall with doctl compute firewall create. The basic usage looks like this, but you'll want to read the usage docs for more details:

                  doctl compute firewall create [flags]
                

Create a Firewall Using the API

You can provide the droplet_ids field with an array of Droplet IDs to automatically assign existing Droplets to a firewall during its creation. To retrieve a list of Droplets and their IDs, use the /v2/droplets endpoint.

How to create a firewall using the DigitalOcean API

To create a firewall using the DigitalOcean API, follow these steps:

  1. Create a personal access token, and save it for use with the API.

  2. Send a POST request to https://api.digitalocean.com/v2/firewalls

    cURL

    To create a firewall with cURL, call:

    
                    curl -X POST \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
      -d '{"name":"firewall","inbound_rules":[{"protocol":"tcp","ports":"80","sources":{"load_balancer_uids": ["4de7ac8b-495b-4884-9a69-1050c6793cd6"]}},{"protocol": "tcp","ports": "22","sources":{"tags": ["gateway"],"addresses": ["18.0.0.0/8"]}}],"outbound_rules":[{"protocol":"tcp","ports":"80","destinations":{"addresses":["0.0.0.0/0","::/0"]}}],"droplet_ids":[8043964]}' \
      "https://api.digitalocean.com/v2/firewalls"

    Go

    Go developers can use Godo, the official DigitalOcean V2 API client for Go. To create a firewall with Godo, use the following code:

    
                    import (
        "context"
        "os"
    
        "github.com/digitalocean/godo"
    )
    
    func main() {
        token := os.Getenv("DIGITALOCEAN_TOKEN")
    
        client := godo.NewFromToken(token)
        ctx := context.TODO()
    
        createRequest := &godo.FirewallRequest{
            Name: 'firewall',
            InboundRules: []godo.InboundRule{
                {
                    Protocol: 'tcp',
                    PortRange: '80',
                    Sources: &godo.Sources{
                        LoadBalancerUIDs: []string{'4de7ac8b-495b-4884-9a69-1050c6793cd6'},
                    },
                },
                {
                    Protocol:  'tcp',
                    PortRange: '22',
                    Sources: &godo.Sources{
                        Addresses: []string{'18.0.0.0/8'},
                        Tags: []string{'gateway'},
                    },
                },
            },
            OutboundRules: []godo.OutboundRule{
                {
                    Protocol: 'tcp',
                    PortRange: '80',
                    Destinations: &godo.Destinations{
                        Addresses: []string{'0.0.0.0/0', '::/0'},
                    },
                },
            },
            DropletIDs: []int{8043964},
        }
    
        firewall, req, err := client.Firewalls.Create(ctx, createRequest)
    }

    Ruby

    Ruby developers can use DropletKit, the official DigitalOcean V2 API client for Ruby. To create a firewall with DropletKit, use the following code:

    
                    require 'droplet_kit'
    token = ENV['DIGITALOCEAN_TOKEN']
    client = DropletKit::Client.new(access_token: token)
    
    firewall = DropletKit::Firewall.new(
      name: 'firewall',
      inbound_rules: [
        DropletKit::FirewallInboundRule.new(
          protocol: 'tcp',
          ports: '80',
          sources: {
            load_balancer_uids: ['4de7ac8b-495b-4884-9a69-1050c6793cd6']
          }
        ),
        DropletKit::FirewallInboundRule.new(
          protocol: 'tcp',
          ports: '22',
          sources: {
            tags: ['gateway'],
            addresses: ['18.0.0.0/8']
          }
        )
      ],
      outbound_rules: [
        DropletKit::FirewallOutboundRule.new(
          protocol: 'tcp',
          ports: '80',
          destinations: {
            addresses: ['0.0.0.0/0', '::/0'],
          }
        )
      ],
      droplet_ids: [8043964]
    )
    
    client.firewalls.create(firewall)

Create a Firewall Using the Control Panel

You can create a firewall at any time from the control panel by opening the Create menu in the upper-right and choosing Cloud Firewalls.

Create menu

On the creation form, you can choose a name for your firewall, define its inbound and outbound rules, and choose the resources to apply the rules to.

Name

You need to define a name for your firewall before you can create it.

The name section of the cloud firewall create page

Rules

You need to define at least one rule to create a firewall.

When you first create a cloud firewall, there are four inbound and outbound rules defined by default that allow some fundamental traffic. You can keep, modify, or delete these rules, and create new ones.

Default Inbound Rule: SSH

Because the compromise of a server typically begins over an inbound connection, the default inbound connections remain entirely restricted with one exception. The suggested rule allows SSH connections on port 22 from anywhere so that users will be able to administer the server from a terminal.

The inbound rules section of the cloud firewall create page

Default Outbound Rules: Permit All Traffic

Many fundamental services rely on outbound communication. Utilities like ping require outbound ICMP. DNS lookups, VoIP and NTP all rely on outbound UDP. Tasks like data synchronization, package list updates, web requests and email require outbound TCP connections.

Because of this, the suggested outbound rules permit all traffic to any destination on any port. These defaults make it easier to set up a new server without introducing restrictions that could block expected functionality.

The outbound rules section of the cloud firewall create page

Apply to Droplets

You can apply a firewall’s rules to Droplets in the firewall’s Apply to Droplets field. When you create a firewall, you can leave this field blank and assign Droplets later.

In the Apply to Droplets field, you can choose Droplets by name, tag, or a combination of both. You can also search for Droplets by IP address.

The apply to Droplets section of the cloud firewall create page

There are limits on the number of Droplets and tags that can be added to a firewall, but there are no limits to the number of Droplets that can be associated with a tag. Using tags allows you to exceed the individual Droplet limit for firewalls. You can also tag a Droplet when you create it, which means you can apply firewall rules immediately.

Droplets can be protected by more than one cloud firewall. When they are, a union of the rules is applied. For example, if one rule allows TCP from any source and another allows TCP from a restricted range, the union of the two means that TCP traffic is allowed from anywhere.

Create

To create the firewall, click Create Firewall.

Once you’ve created a firewall, the Firewalls tab serves as the main overview page and provides summary information including the number of Droplets protected, the number of rules and the date the firewall was created.