Question

Droplet Firewall

I have set up a Droplet Firewall and all is well (working). In the SSH incoming rule I added my external addresses and the Droplet Console address. I had a look at netstat and figured out what the Droplet console IP address is. But that might not be necessary, or it might not be a single address and the rule could be fragile.

Other clouds hide the fabric firewall rules that allow stuff like the Droplet Console - so what does DigitalOcean do, and do I need that Droplet Console address in my Firewall ssh rule?


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
July 10, 2023

Heya,

The Recovery Console provides out-of-band access and is available regardless of your network settings. It emulates the access you would have if you were sitting down with a keyboard and monitor attached to the actual server. You can use this feature to log in and revert bad settings to regain normal access.

The DigitalOcean Droplet console does not have a specific IP address that you could whitelist in your firewall. It’s not dependent on IP-based rules as it operates at the hypervisor level and bypasses your Droplet’s network stack, including firewall rules. In other words, console access is considered out-of-band access with a separate, dedicated route to your Droplet.

Given this, it’s not necessary to add the Droplet Console address in your Firewall SSH rule. Your firewall should typically be configured to allow SSH (port 22) access from trusted IPs to secure your Droplet further.

Hope that this helps!

Bobby Iliev
Site Moderator
Site Moderator badge
July 4, 2023

Hey @keithmcalister,

Indeed, you are correct, the Console might not have a static IP address. Your cloud firewall and any host firewalls must accept SSH traffic on the port that sshd uses.

Alternatively, you could just use an SSH client instead of the web based console.

If you need to recover network access to your Droplet, use the Recovery Console instead.

If you still would like to see a static IP being associated with the web console, the best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.

https://ideas.digitalocean.com/

Hope that helps!

- Bobby.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel