Hi.
As the title suggests, I can only connect to my managed database if I enable all Outbound TCP Ports in DO Firewall.
I have tried to only allow port 25060 with no success.
Both the droplet and the managed database are in the same region (NYC3).
The error I’m getting if I remove all TCP ports from the firewall: Unknown MySQL server host
Any suggestions?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi there @SmallLapisSquid,
I believe that you need to allow the connections for port 25060 for outbound connections as well as inbound.
Let me know how it goes. Regards, Bobby
Hi,
Cloud Firewall is a basic, easy to configure firewall with a user-friendly interface. However, the information on setting it up that you can find in control panel might be confusing. So, let me explain how I can see Cloud Firewall rules because it is very likely that they work in this way.
Inbound rules
If you had MySQL server installed on your droplet, you would set up the following inbound rule:
| Type | Protocol | Port Range | Sources |
|---|---|---|---|
| Custom | TCP | 3306 | 111.222.333.444 |
It means that client from IP 111.222.333.444 can connect to the service (MySQL) that is listening on port TCP 3306. So, we could say specified source IP is allowed to connect to specified destination port.
Outbound rules
It is defferent situation now. MySQL server is installed somewhere in the internet, on a VM with IP 111.222.333.444. Its service is listening on port TCP 3306. You want to connect to it from your droplet. You set up the following outbound rule:
| Type | Protocol | Port Range | Destinations |
|---|---|---|---|
| Custom | TCP | 3306 | 111.222.333.444 |
Correspondingly to the Inbound rule, it means that your droplet is allowed to make a connection from specified source port to specified destination IP. Yes, I am pretty sure you specify a source port in an outbound rule, not a destination one. That is why your connection could not be established. I could not find any info on MySQL client’s source TCP port(s). I believe there are some ephemeral ports assigned to the connection session. They are probably from a range 1024-65535 (you can check it out with tshark or tcpdump). So, your outbound rule should look like that:
| Type | Protocol | Port Range | Destinations |
|---|---|---|---|
| Custom | TCP | 1024-65535 | 111.222.333.444 |
P.S. There is just one proof of my thoughts in DO’s doc. The following note:
Note
You can only define firewall rules to restrict traffic to and from ports
based on connection types, sources, and destinations.
(...)
Hi, Recently I have a similar problem, to resolved it, I had to add the rule to UDP too.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.