Can't connect to a managed database unless all TCP ports are enabled in DO Firewall

Posted December 19, 2020 510 views
DigitalOcean Cloud FirewallsDigitalOcean Managed MySQL Database


As the title suggests, I can only connect to my managed database if I enable all Outbound TCP Ports in DO Firewall.

I have tried to only allow port 25060 with no success.

Both the droplet and the managed database are in the same region (NYC3).

The error I’m getting if I remove all TCP ports from the firewall: Unknown MySQL server host

Any suggestions?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Hi there @SmallLapisSquid,

I believe that you need to allow the connections for port 25060 for outbound connections as well as inbound.

Let me know how it goes.

  • Hi @bobbyiliev.

    As stated in my questions “I have tried to only allow port 25060 with no success.”

    Also, I have discovered that my Woo instance won’t connect to my managed database either unless I open all TCP and UDP outbound ports.

    DO support replied to my ticket saying all outbound ports should be open in order for the droplet to be able to connect to the managed database instance.

    I find it interesting that there’s no certain port that should be opened, and instead we’re forced to open all outbound ports.

    Please let me know if you have other information.


Cloud Firewall is a basic, easy to configure firewall with a user-friendly interface. However, the information on setting it up that you can find in control panel might be confusing. So, let me explain how I can see Cloud Firewall rules because it is very likely that they work in this way.

Inbound rules

If you had MySQL server installed on your droplet, you would set up the following inbound rule:

Type Protocol Port Range Sources
Custom TCP 3306 111.222.333.444

It means that client from IP 111.222.333.444 can connect to the service (MySQL) that is listening on port TCP 3306. So, we could say specified source IP is allowed to connect to specified destination port.

Outbound rules

It is defferent situation now. MySQL server is installed somewhere in the internet, on a VM with IP 111.222.333.444. Its service is listening on port TCP 3306. You want to connect to it from your droplet. You set up the following outbound rule:

Type Protocol Port Range Destinations
Custom TCP 3306 111.222.333.444

Correspondingly to the Inbound rule, it means that your droplet is allowed to make a connection from specified source port to specified destination IP. Yes, I am pretty sure you specify a source port in an outbound rule, not a destination one. That is why your connection could not be established. I could not find any info on MySQL client’s source TCP port(s). I believe there are some ephemeral ports assigned to the connection session. They are probably from a range 1024-65535 (you can check it out with tshark or tcpdump). So, your outbound rule should look like that:

Type Protocol Port Range Destinations
Custom TCP 1024-65535 111.222.333.444

P.S. There is just one proof of my thoughts in DO’s doc. The following note:

You can only define firewall rules to restrict traffic to and from ports 
based on connection types, sources, and destinations.