Digital Ocean Firewalls are awesome for MongoDB. Why do I need ufw?

I have my appServers tagged as apps and my database server(s) tagged as db

Using purely digital ocean’s firewalls, create 2 rules:

tag:db rules


  • SSH from anywhere
  • connections only from tag:apps on port 27017.


  • Anything goes

tag:apps rules


  • SSH from anywhere
  • 80/443 from anywhere


  • Anything goes

This seems to make a lot of sense and I feel like I :

  • Don’t need to Setup ufw on any servers, because that’s already taken care of
  • Don’t need to Restrict incoming connections by ip with mongodb config. I can just bind to and accept from “anywhere” since DO-firewall already does that filtering.
  • Don’t need to enable auth in mongodb, (would only need to do this if sql injection was a legitimate fear)

Could anyone help me understand why I should security-wise?


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

That looks good to me! As long as you have your DO Firewalls configured properly (sounds like you do!), you won’t need to set up UFW or IPTables on your Droplet.

I agree with the first two points but not so much the third. I recommend setting up auth in MongoDB either way. This will keep your data safe in case something goes wrong and yours databases become publicly accessible for some reason. Better be safe than sorry!