Digital Ocean Firewalls are awesome for MongoDB. Why do I need ufw?

I have my appServers tagged as apps and my database server(s) tagged as db

Using purely digital ocean’s firewalls, create 2 rules:

tag:db rules


  • SSH from anywhere
  • connections only from tag:apps on port 27017.


  • Anything goes

tag:apps rules


  • SSH from anywhere
  • 80/443 from anywhere


  • Anything goes

This seems to make a lot of sense and I feel like I :

  • Don’t need to Setup ufw on any servers, because that’s already taken care of
  • Don’t need to Restrict incoming connections by ip with mongodb config. I can just bind to and accept from “anywhere” since DO-firewall already does that filtering.
  • Don’t need to enable auth in mongodb, (would only need to do this if sql injection was a legitimate fear)

Could anyone help me understand why I should security-wise?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

That looks good to me! As long as you have your DO Firewalls configured properly (sounds like you do!), you won’t need to set up UFW or IPTables on your Droplet.

I agree with the first two points but not so much the third. I recommend setting up auth in MongoDB either way. This will keep your data safe in case something goes wrong and yours databases become publicly accessible for some reason. Better be safe than sorry!