How to Add and Remove Droplets from Firewalls

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.


Add or Remove Droplets from a Firewall Using the CLI

The commands to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the doctl compute droplet list command.

How to Add a Droplet to a Firewall Using the DigitalOcean CLI
  1. Install doctl, the DigitalOcean command-line tool.

  2. Create a personal access token and save it for use with doctl.

  3. Use the token to grant doctl access to your DigitalOcean account.

              doctl auth init
              
  4. Finally, run doctl compute firewall add-droplets. Basic usage looks like this, but you can read the usage docs for more details:

                doctl compute firewall add-droplets <id> [flags]
              

    The following example assigns two Droplets to the cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6:

                  doctl compute firewall add-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"
                
How to Remove a Droplet to a Firewall Using the DigitalOcean CLI
  1. Install doctl, the DigitalOcean command-line tool.

  2. Create a personal access token and save it for use with doctl.

  3. Use the token to grant doctl access to your DigitalOcean account.

              doctl auth init
              
  4. Finally, run doctl compute firewall remove-droplets. Basic usage looks like this, but you can read the usage docs for more details:

                doctl compute firewall remove-droplets <id> [flags]
              

    The following example removes two Droplets from a cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6:

                  doctl compute firewall remove-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"
                

Add or Remove Droplets from a Firewall Using the API

The API calls to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the /v2/droplets endpoint.

How to Add Droplets to a Firewall Using the DigitalOcean API
  1. Create a personal access token and save it for use with the API.

  2. Send a POST request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets

    cURL

    Using cURL:

                    curl -X POST \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
      -d '{"droplet_ids":[49696269]}' \
      "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"
                  

    Go

    Using Godo, the official DigitalOcean V2 API client for Go:

                    import (
        "context"
        "os"
    
        "github.com/digitalocean/godo"
    )
    
    func main() {
        token := os.Getenv("DIGITALOCEAN_TOKEN")
    
        client := godo.NewFromToken(token)
        ctx := context.TODO()
    
        _, err := client.Firewalls.AddDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269) 
    }
                  

    Ruby

    Using DropletKit, the official DigitalOcean V2 API client for Ruby:

                    require 'droplet_kit'
    token = ENV['DIGITALOCEAN_TOKEN']
    client = DropletKit::Client.new(access_token: token)
    
    client.firewalls.add_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')
                  

    Python

                    import os
    from pydo import Client
    
    client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))
    
    req = {
      "droplet_ids": [
        49696269
      ]
    }
    
    resp = client.firewalls.assign_droplets(firewall_id="39fa4gz", body=req)
                  
How to Remove Droplets From a Firewall Using the DigitalOcean API
  1. Create a personal access token and save it for use with the API.

  2. Send a DELETE request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets

    cURL

    Using cURL:

                    curl -X DELETE \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
      -d '{"droplet_ids":[49696269]}' \
      "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"
                  

    Go

    Using Godo, the official DigitalOcean V2 API client for Go:

                    import (
        "context"
        "os"
    
        "github.com/digitalocean/godo"
    )
    
    func main() {
        token := os.Getenv("DIGITALOCEAN_TOKEN")
    
        client := godo.NewFromToken(token)
        ctx := context.TODO()
    
        _, err := client.Firewalls.RemoveDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269)
    }
                  

    Ruby

    Using DropletKit, the official DigitalOcean V2 API client for Ruby:

                    require 'droplet_kit'
    token = ENV['DIGITALOCEAN_TOKEN']
    client = DropletKit::Client.new(access_token: token)
    
    client.firewalls.remove_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')
                  

    Python

                    import os
    from pydo import Client
    
    client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))
    
    req = {
      "droplet_ids": [
        49696269
      ]
    }
    
    resp = client.firewalls.delete_droplets(firewall_id="39fa4gz", body=req)
                  

Add or Remove Droplets from a Firewall Using the Control Panel

You can modify the Droplets protected by a firewall in the control panel by choosing Networking from the top menu, then Firewalls. Select the firewall you want to check or modify, then navigate to its Droplets tab.

A firewall’s Droplets tab lists all of all the Droplets protected by the firewall. Droplets added individually are shown on their own line, and Droplets added with a tag are shown below the tag.

To add another Droplet or tag to the firewall, use the Add Droplets button.

To remove a Droplet or tag from a firewall, use its More menu and select Remove.

Firewall more menu open

From the firewall’s Droplets panel, you can see which Droplets are affected by that firewall’s rules. To see all the rules affecting a specific Droplet, you need to view the individual Droplet’s networking page.