# How to Add and Remove Droplets from Firewalls

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

## Add or Remove Droplets from a Firewall Using the CLI

The commands to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the `doctl compute droplet list` command.

## How to Add a Droplet to a Firewall Using the DigitalOcean CLI

1. [Install `doctl`](https://docs.digitalocean.com/reference/doctl/how-to/install/index.html.md), the official DigitalOcean CLI.
2. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with `doctl`.
3. Use the token to grant `doctl` access to your DigitalOcean account.

   ```shell
   doctl auth init
   ```
4. Finally, run `doctl compute firewall add-droplets`. Basic usage looks like this, but you can [read the usage docs](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/add-droplets/index.html.md) for more details:

   ```shell
   doctl compute firewall add-droplets <firewall-id> [flags]
   ```

   The following example assigns two Droplets to the cloud firewall with the ID `f81d4fae-7dec-11d0-a765-00a0c91e6bf6`:

   ```shell
   doctl compute firewall add-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"
   ```

## How to Remove a Droplet to a Firewall Using the DigitalOcean CLI

1. [Install `doctl`](https://docs.digitalocean.com/reference/doctl/how-to/install/index.html.md), the official DigitalOcean CLI.
2. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with `doctl`.
3. Use the token to grant `doctl` access to your DigitalOcean account.

   ```shell
   doctl auth init
   ```
4. Finally, run `doctl compute firewall remove-droplets`. Basic usage looks like this, but you can [read the usage docs](https://docs.digitalocean.com/reference/doctl/reference/compute/firewall/remove-droplets/index.html.md) for more details:

   ```shell
   doctl compute firewall remove-droplets <firewall-id> [flags]
   ```

   The following example removes two Droplets from a cloud firewall with the ID `f81d4fae-7dec-11d0-a765-00a0c91e6bf6`:

   ```shell
   doctl compute firewall remove-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"
   ```

## Add or Remove Droplets from a Firewall Using the API

The API calls to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the [`/v2/droplets` endpoint](https://docs.digitalocean.com/reference/api/digitalocean/index.html.md#operation/droplets_list).

## How to Add Droplets to a Firewall Using the DigitalOcean API

1. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with the API.
2. Send a POST request to [`https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets`](https://docs.digitalocean.com/reference/api/digitalocean//index.html.md#operation/firewalls_assign_droplets).

### cURL

Using cURL:

```shell
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"
```

### Go

Using [Godo](https://github.com/digitalocean/godo), the official DigitalOcean API client for Go:

```go
import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.AddDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269)
}
```

### Ruby

Using [DropletKit](https://github.com/digitalocean/droplet_kit), the official DigitalOcean API client for Ruby:

```ruby
require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.add_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')
```

### Python

Using [PyDo](https://github.com/digitalocean/pydo), the official DigitalOcean API client for Python:

```python
import os
from pydo import Client

client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))

req = {
  "droplet_ids": [
    49696269
  ]
}

resp = client.firewalls.assign_droplets(firewall_id="39fa4gz", body=req)
```

## How to Remove Droplets From a Firewall Using the DigitalOcean API

1. [Create a personal access token](https://docs.digitalocean.com/reference/api/create-personal-access-token/index.html.md) and save it for use with the API.
2. Send a DELETE request to [`https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets`](https://docs.digitalocean.com/reference/api/digitalocean//index.html.md#operation/firewalls_delete_droplets).

### cURL

Using cURL:

```shell
curl -X DELETE \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"
```

### Go

Using [Godo](https://github.com/digitalocean/godo), the official DigitalOcean API client for Go:

```go
import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.RemoveDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269)
}
```

### Ruby

Using [DropletKit](https://github.com/digitalocean/droplet_kit), the official DigitalOcean API client for Ruby:

```ruby
require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.remove_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')
```

### Python

Using [PyDo](https://github.com/digitalocean/pydo), the official DigitalOcean API client for Python:

```python
import os
from pydo import Client

client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))

req = {
  "droplet_ids": [
    49696269
  ]
}

resp = client.firewalls.delete_droplets(firewall_id="39fa4gz", body=req)
```

## Add or Remove Droplets from a Firewall Using the Control Panel

You can modify the Droplets protected by a firewall in the [control panel](https://cloud.digitalocean.com) by choosing **Networking** from the top menu, then **Firewalls**. Select the firewall you want to check or modify, then navigate to its **Droplets** tab.

A firewall’s **Droplets** tab lists all of all the Droplets protected by the firewall. Droplets added individually are shown on their own line, and Droplets added with a tag are shown below the tag.

To add another Droplet or tag to the firewall, use the **Add Droplets** button.

To remove a Droplet or tag from a firewall, on the right, click **More**, and then select **Remove**.

From the firewall’s Droplets panel, you can see which Droplets are affected by that firewall’s rules. To [see all the rules affecting a specific Droplet](https://docs.digitalocean.com/products/networking/firewalls/how-to/view-rules-for-droplet/index.html.md), you need to view the individual Droplet’s networking page.