D DigitalOcean

How to set up cloud firewall on DigitalOcean

intermediate 12 min read Updated 2026-03-13
Quick Answer

DigitalOcean Cloud Firewalls are free, stateful network firewalls for Droplets, load balancers, and Kubernetes. Create via control panel (fastest) or CLI with default rules for SSH/HTTP/HTTPS, customize ports/IPs/tags, and apply to resources. Takes 15-45 minutes; avoid lockouts by always allowing SSH (port 22).

Prerequisites

  • Active DigitalOcean account with Droplets or resources
  • Personal access token for CLI/API
  • doctl CLI installed and authenticated
  • Basic networking knowledge (ports, CIDR, tags)
  • Resource IDs, tags, or IPs ready

Step-by-Step Instructions

1

Log in to DigitalOcean Control Panel

Access your DigitalOcean account at cloud.digitalocean.com and sign in to reach the main dashboard.
2

Navigate to Create Cloud Firewall

In the upper-right corner, click the Create menu and select Cloud Firewalls from the dropdown.
3

Configure Basic Firewall Settings

Enter a descriptive name like web-server-firewall in the Name field. The form includes four default rules: inbound TCP 22/80 from all IPv4/IPv6, outbound all TCP/UDP/ICMP and TCP 443 to all. Modify as needed, e.g., restrict SSH port 22 to your CIDR like 203.0.113.0/24 under Sources.
Always keep SSH (port 22) open from your IP to avoid lockouts.
4

Add Custom Inbound Rules

Click Add Inbound Rule, select protocol (TCP/UDP/ICMP), enter ports (e.g. 80, 3000-4000, or All), and define Sources: All IPv4/IPv6, IP/CIDR (e.g. 18.0.0.0/8), Droplet tags (web), or load balancer UIDs. Add HTTPS: TCP 443 from all sources.
5

Add Custom Outbound Rules

Click Add Outbound Rule, select protocol, enter ports (e.g. 80 or All), and set Destinations like 0.0.0.0/0,::/0 for all internet access.
6

Assign Firewall to Resources

Under Apply to Droplets, select Droplet IDs (e.g. 8043964), tags (frontend), load balancers, or Kubernetes clusters.
Use tags for easier management of multiple resources.
7

Create the Firewall

Click Create Firewall. It activates immediately on assigned resources at no extra cost (stateful inspection).
8

Verify and Manage Firewall

Go to Networking > Firewalls in the sidebar. Click your firewall to view UUID ID (e.g. bb4b2611-3d72-467b-8602-280330ecd65c), rules, and resources. Edit rules via Edit button.
9

CLI Setup: Install and Authenticate doctl

brew install doctl  # macOS/Linux
doctl auth init     # Follow prompts
Retrieve firewalls with doctl compute firewall list. Use ID for updates.
Generate personal access token in API settings first.
10

CLI: Create Firewall Example

Use doctl compute firewall create with JSON flags for rules, or API curl: 
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"name":"firewall","inbound_rules":[...],"droplet_ids":[8043964]}' "https://api.digitalocean.com/v2/firewalls"

Common Issues & Troubleshooting

Lockout: SSH connection timed out after applying firewall

Missing inbound TCP port 22 rule. Temporarily allow from <code>0.0.0.0/0</code>, save via control panel, reconnect, then restrict to your IP/CIDR.

CLI/API: Invalid JSON payload error

Check syntax for rules array, ports, sources/destinations. Validate with <code>doctl compute firewall list</code> and test incrementally.

Firewall not applying to resources

Verify Droplet IDs, tags, or UIDs are correct. Use control panel to reassign, or CLI <code>doctl compute firewall update &lt;ID&gt; --droplet-ids &lt;ID&gt;</code>.

IPv6 traffic blocked unexpectedly

Ensure rules include <code>::/0</code> in sources/destinations. DigitalOcean handles IPv6 natively; enable if needed on Droplets.

Rules not saving or firewall not activating

Check for conflicting rules or empty required fields. View status in Networking &gt; Firewalls; recreate if UUID missing.

Special Offer

Affiliate link. We may earn a commission at no extra cost to you.

Visit DigitalOcean View DigitalOcean Pricing