How to Add and Remove Droplets from Firewalls

Validated on 27 Mar 2019 • Last edited on 23 Mar 2026

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

Copy page as Markdown View page as Markdown

Add or Remove Droplets from a Firewall Using the CLI

The commands to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the doctl compute droplet list command.

How to Add a Droplet to a Firewall Using the DigitalOcean CLI
  1. Install doctl, the official DigitalOcean CLI.
  2. Create a personal access token and save it for use with doctl.
  3. Use the token to grant doctl access to your DigitalOcean account. 
    doctl auth init
  4. Finally, run doctl compute firewall add-droplets. Basic usage looks like this, but you can read the usage docs for more details: 
    doctl compute firewall add-droplets <firewall-id> [flags]
    The following example assigns two Droplets to the cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6: 
    doctl compute firewall add-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"
How to Remove a Droplet to a Firewall Using the DigitalOcean CLI
  1. Install doctl, the official DigitalOcean CLI.
  2. Create a personal access token and save it for use with doctl.
  3. Use the token to grant doctl access to your DigitalOcean account. 
    doctl auth init
  4. Finally, run doctl compute firewall remove-droplets. Basic usage looks like this, but you can read the usage docs for more details: 
    doctl compute firewall remove-droplets <firewall-id> [flags]
    The following example removes two Droplets from a cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6: 
    doctl compute firewall remove-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"

Add or Remove Droplets from a Firewall Using the API

The API calls to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the /v2/droplets endpoint.

How to Add Droplets to a Firewall Using the DigitalOcean API
  1. Create a personal access token and save it for use with the API.
  2. Send a POST request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets.

cURL

Using cURL:

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"

Go

Using Godo, the official DigitalOcean API client for Go:

import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.AddDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269) 
}

Ruby

Using DropletKit, the official DigitalOcean API client for Ruby:

require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.add_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')

Python

Using PyDo, the official DigitalOcean API client for Python:

import os
from pydo import Client

client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))

req = {
  "droplet_ids": [
    49696269
  ]
}

resp = client.firewalls.assign_droplets(firewall_id="39fa4gz", body=req)
How to Remove Droplets From a Firewall Using the DigitalOcean API
  1. Create a personal access token and save it for use with the API.
  2. Send a DELETE request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets.

cURL

Using cURL:

curl -X DELETE \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"

Go

Using Godo, the official DigitalOcean API client for Go:

import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.RemoveDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269)
}

Ruby

Using DropletKit, the official DigitalOcean API client for Ruby:

require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.remove_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')

Python

Using PyDo, the official DigitalOcean API client for Python:

import os
from pydo import Client

client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))

req = {
  "droplet_ids": [
    49696269
  ]
}

resp = client.firewalls.delete_droplets(firewall_id="39fa4gz", body=req)

Add or Remove Droplets from a Firewall Using the Control Panel

You can modify the Droplets protected by a firewall in the control panel by choosing Networking from the top menu, then Firewalls. Select the firewall you want to check or modify, then navigate to its Droplets tab.

A firewall’s Droplets tab lists all of all the Droplets protected by the firewall. Droplets added individually are shown on their own line, and Droplets added with a tag are shown below the tag.

To add another Droplet or tag to the firewall, use the Add Droplets button.

To remove a Droplet or tag from a firewall, on the right, click More, and then select Remove.

From the firewall’s Droplets panel, you can see which Droplets are affected by that firewall’s rules. To see all the rules affecting a specific Droplet, you need to view the individual Droplet’s networking page.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.