Intermediate
How to set up a cloud firewall on DigitalOcean
Quick Answer
DigitalOcean Cloud Firewalls are free, stateful network firewalls for Droplets, load balancers, and Kubernetes. Create via control panel (fastest) or CLI with default rules for SSH/HTTP/HTTPS, customize ports/IPs/tags, and apply to resources. Takes 15-45 minutes; avoid lockouts by always allowing SSH (port 22).
Prerequisites
- Active DigitalOcean account with Droplets or resources
- Personal access token for CLI/API
- doctl CLI installed and authenticated
- Basic networking knowledge (ports, CIDR, tags)
- Resource IDs, tags, or IPs ready
1
Log in to DigitalOcean Control Panel
Access your DigitalOcean account at
cloud.digitalocean.com and sign in to reach the main dashboard.2
Navigate to Create Cloud Firewall
In the upper-right corner, click the Create menu and select Cloud Firewalls from the dropdown.
3
Configure Basic Firewall Settings
Enter a descriptive name like
web-server-firewall in the Name field. The form includes four default rules: inbound TCP 22/80 from all IPv4/IPv6, outbound all TCP/UDP/ICMP and TCP 443 to all. Modify as needed, e.g., restrict SSH port 22 to your CIDR like 203.0.113.0/24 under Sources.Tip
Always keep SSH (port 22) open from your IP to avoid lockouts.
4
Add Custom Inbound Rules
Click Add Inbound Rule, select protocol (TCP/UDP/ICMP), enter ports (e.g.
80, 3000-4000, or All), and define Sources: All IPv4/IPv6, IP/CIDR (e.g. 18.0.0.0/8), Droplet tags (web), or load balancer UIDs. Add HTTPS: TCP 443 from all sources.5
Add Custom Outbound Rules
Click Add Outbound Rule, select protocol, enter ports (e.g.
80 or All), and set Destinations like 0.0.0.0/0,::/0 for all internet access.6
Assign Firewall to Resources
Under Apply to Droplets, select Droplet IDs (e.g.
8043964), tags (frontend), load balancers, or Kubernetes clusters.Tip
Use tags for easier management of multiple resources.
7
Create the Firewall
Click Create Firewall. It activates immediately on assigned resources at no extra cost (stateful inspection).
8
Verify and Manage Firewall
Go to Networking > Firewalls in the sidebar. Click your firewall to view UUID ID (e.g.
bb4b2611-3d72-467b-8602-280330ecd65c), rules, and resources. Edit rules via Edit button.9
CLI Setup: Install and Authenticate doctl
brew install doctl # macOS/Linux
doctl auth init # Follow promptsdoctl compute firewall list. Use ID for updates.Tip
Generate personal access token in API settings first.
10
CLI: Create Firewall Example
Use
doctl compute firewall create with JSON flags for rules, or API curl: curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"name":"firewall","inbound_rules":[...],"droplet_ids":[8043964]}' "https://api.digitalocean.com/v2/firewalls"Troubleshooting
Lockout: SSH connection timed out after applying firewall
Missing inbound TCP port 22 rule. Temporarily allow from
0.0.0.0/0, save via control panel, reconnect, then restrict to your IP/CIDR.CLI/API: Invalid JSON payload error
Check syntax for rules array, ports, sources/destinations. Validate with
doctl compute firewall list and test incrementally.Firewall not applying to resources
Verify Droplet IDs, tags, or UIDs are correct. Use control panel to reassign, or CLI
doctl compute firewall update <ID> --droplet-ids <ID>.IPv6 traffic blocked unexpectedly
Ensure rules include
::/0 in sources/destinations. DigitalOcean handles IPv6 natively; enable if needed on Droplets.Rules not saving or firewall not activating
Check for conflicting rules or empty required fields. View status in Networking > Firewalls; recreate if UUID missing.
Ready to get started with DigitalOcean?
Put this tutorial into practice. Visit DigitalOcean and follow the steps above.
Visit DigitalOcean →