Question

Digital Ocean Load Balancer Firewall

My question is the same as https://www.digitalocean.com/community/questions/digital-ocean-load-balancer-firewall-how-to-apply.

I have tried adding --allowlist cidr https://www.cloudflare.com/ips/ in the Load Balancer firewall but my app is not running, there should be something that cannot be accessed.

I suspect I haven’t added the internal IP droplet but when I added CIDR 10.xxx.0.0/16’ the error Firewall rule containing CIDR '10.xxx.0.0/16' is invalid"appears. I added --alowlist internal ip DO also doesn’t work. Please help me. thank you


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
December 21, 2023

Hey,

Cloud Firewalls in DigitalOcean are designed to manage external access to your droplets and typically don’t support CIDR ranges that are reserved for private networks, like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. This could explain why you’re encountering the error message “firewall rule containing cidr ‘10.130.0.0/16’ is invalid”.

DigitalOcean’s Cloud Firewalls are stateful and network-based, and they block all traffic not expressly permitted by a rule. Unfortunately, they may not be the right tool for managing internal traffic between droplets or services within a private network. For internal traffic management, you might need to use a different approach, such as configuring iptables or ufw directly on your Droplets.

Regarding the allowlisting of Cloudflare IPs, if your application is not working properly after this configuration, there could be various reasons. It might be due to other firewall rules that are conflicting or due to issues unrelated to the firewall settings, such as application configuration or network issues.

Did you try allowing all of the IPn ranges from that Cloudflare page?

If you need to manage access between your Droplets internally, consider setting up firewall rules directly on the droplets themselves using iptables or ufw. This approach allows for more granular control over internal traffic.

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.