How to Add and Remove Droplets from Firewalls

Validated on 27 Mar 2019 • Last edited on 1 Jun 2023 protocol

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

Add or Remove Droplets from a Firewall Using the CLI

The commands to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the doctl compute droplet list command.

How to add a Droplet to a firewall using the DigitalOcean CLI

To add a Droplet to a firewall via the command-line, follow these steps:

Install doctl, the DigitalOcean command-line tool.
Create a personal access token, and save it for use with doctl.
Use the token to grant doctl access to your DigitalOcean account.
```
              doctl auth init
            
```
Finally, add a Droplet to a firewall with doctl compute firewall add-droplets. The basic usage looks like this, but you'll want to read the usage docs for more details:
```
              doctl compute firewall add-droplets <id> [flags]
            
```

How to remove a Droplet to a firewall using the DigitalOcean CLI

To remove a Droplet to a firewall via the command-line, follow these steps:

Install doctl, the DigitalOcean command-line tool.
Create a personal access token, and save it for use with doctl.
Use the token to grant doctl access to your DigitalOcean account.
```
              doctl auth init
            
```
Finally, remove a Droplet to a firewall with doctl compute firewall remove-droplets. The basic usage looks like this, but you'll want to read the usage docs for more details:
```
              doctl compute firewall remove-droplets <id> [flags]
            
```

Add or Remove Droplets from a Firewall Using the API

The API calls to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the /v2/droplets endpoint.

How to add Droplets to a firewall using the DigitalOcean API

To add Droplets to a firewall using the DigitalOcean API, follow these steps:

Create a personal access token, and save it for use with the API.

Send a POST request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets

cURL

To add Droplets to a firewall with cURL, call:


                curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"

Go

Go developers can use Godo, the official DigitalOcean V2 API client for Go. To add Droplets to a firewall with Godo, use the following code:


                import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.AddDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269) 
}

Ruby

Ruby developers can use DropletKit, the official DigitalOcean V2 API client for Ruby. To add Droplets to a firewall with DropletKit, use the following code:


                require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.add_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')

How to remove Droplets from a firewall using the DigitalOcean API

To remove Droplets from a firewall using the DigitalOcean API, follow these steps:

Create a personal access token, and save it for use with the API.

Send a DELETE request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets

cURL

To remove Droplets from a firewall with cURL, call:


                curl -X DELETE \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"

Go

Go developers can use Godo, the official DigitalOcean V2 API client for Go. To remove Droplets from a firewall with Godo, use the following code:


                import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.RemoveDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269)
}

Ruby

Ruby developers can use DropletKit, the official DigitalOcean V2 API client for Ruby. To remove Droplets from a firewall with DropletKit, use the following code:


                require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.remove_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')

Add or Remove Droplets from a Firewall Using the Control Panel

You can modify the Droplets protected by a firewall in the control panel by choosing Networking from the top navigation, then Firewalls. Select the firewall you want to check or modify, then navigate to its Droplets tab.

A firewall’s Droplets tab lists all of all the Droplets protected by the firewall. Droplets added individually are shown on their own line, and Droplets added with a tag are shown below the tag.

To add another Droplet or tag to the firewall, use the Add Droplets button.

To remove a Droplet or tag from a firewall, use its More menu and select Remove.

From the firewall’s Droplets panel, you can see which Droplets are affected by that firewall’s rules. To see all the rules affecting a specific Droplet, you need to view the individual Droplet’s networking page.