I have set up a Droplet Firewall and all is well (working). In the SSH incoming rule I added my external addresses and the Droplet Console address. I had a look at netstat and figured out what the Droplet console IP address is. But that might not be necessary, or it might not be a single address and the rule could be fragile.
Other clouds hide the fabric firewall rules that allow stuff like the Droplet Console - so what does DigitalOcean do, and do I need that Droplet Console address in my Firewall ssh rule?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Featured on Community
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Heya,
The Recovery Console provides out-of-band access and is available regardless of your network settings. It emulates the access you would have if you were sitting down with a keyboard and monitor attached to the actual server. You can use this feature to log in and revert bad settings to regain normal access.
The DigitalOcean Droplet console does not have a specific IP address that you could whitelist in your firewall. It’s not dependent on IP-based rules as it operates at the hypervisor level and bypasses your Droplet’s network stack, including firewall rules. In other words, console access is considered out-of-band access with a separate, dedicated route to your Droplet.
Given this, it’s not necessary to add the Droplet Console address in your Firewall SSH rule. Your firewall should typically be configured to allow SSH (port 22) access from trusted IPs to secure your Droplet further.
Hope that this helps!
Hey @keithmcalister,
Indeed, you are correct, the Console might not have a static IP address. Your cloud firewall and any host firewalls must accept SSH traffic on the port that
sshduses.Alternatively, you could just use an SSH client instead of the web based console.
If you need to recover network access to your Droplet, use the Recovery Console instead.
If you still would like to see a static IP being associated with the web console, the best thing to do to get your voice heard regarding this would be to head over to our Product Ideas board and post a new idea, including as much information as possible for what you’d like to see implemented.
Hope that helps!
- Bobby.