Question

Digital Ocean Load Balancer Firewall

My question is the same as https://www.digitalocean.com/community/questions/digital-ocean-load-balancer-firewall-how-to-apply.

I have tried adding --allowlist cidr https://www.cloudflare.com/ips/ in the Load Balancer firewall but my app is not running, there should be something that cannot be accessed.

I suspect I haven’t added the internal IP droplet but when I added CIDR 10.xxx.0.0/16’ the error Firewall rule containing CIDR '10.xxx.0.0/16' is invalid"appears. I added --alowlist internal ip DO also doesn’t work. Please help me. thank you


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
December 21, 2023

Hey,

Cloud Firewalls in DigitalOcean are designed to manage external access to your droplets and typically don’t support CIDR ranges that are reserved for private networks, like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. This could explain why you’re encountering the error message “firewall rule containing cidr ‘10.130.0.0/16’ is invalid”.

DigitalOcean’s Cloud Firewalls are stateful and network-based, and they block all traffic not expressly permitted by a rule. Unfortunately, they may not be the right tool for managing internal traffic between droplets or services within a private network. For internal traffic management, you might need to use a different approach, such as configuring iptables or ufw directly on your Droplets.

Regarding the allowlisting of Cloudflare IPs, if your application is not working properly after this configuration, there could be various reasons. It might be due to other firewall rules that are conflicting or due to issues unrelated to the firewall settings, such as application configuration or network issues.

Did you try allowing all of the IPn ranges from that Cloudflare page?

If you need to manage access between your Droplets internally, consider setting up firewall rules directly on the droplets themselves using iptables or ufw. This approach allows for more granular control over internal traffic.

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel