Visit site

Create a DigitalOcean Firewall that only accepts inbound connections from Cloudflare

Terraform Module for DigitalOcean Firewall + Cloudflare

This module allows you to create a DigitalOcean Firewall that only accepts inbound connections from Cloudflare’s published list of IP addresses.

Why would I use this?

Cloudflare provides DDOS protection for domains using its DNS. If an attacker knows the IP address of your origin server, this can easily be circumvented. Using the approach in this module prevents incoming connections to the server from all non-Cloudflare IPs.

This could be done at the server level using iptables or other firewall software. Though a missconfigured firewall could prevent you from accessing your server. Using a DigitalOcean Firewall, you can open or close additional ports as needed.

This can also be achieved at the web server level using the DenyAllButCloudFlare rule from Cloudflare’s Mod_Cloudflare Apache extension or similar tools for Nginx. Though this still uses bandwidth and system resources on the origin server. Using a DigitalOcean Firewall means the un-wanted traffic will be blocked before it ever reaches you.

Cloudflare IP addresses may also change. Tracking those changes and applying them by hand in the DigitalOcean control panel can be tedious. Using this module, re-running terraform apply will pick up those changes and reconfigure your Firewall.

Module input variables

  • name - The name of the firewall to be created.
  • droplet_ids - A list of the IDs of the Droplets assigned to the Firewall.
  • tags - A list of tag names assigned to the Firewall.


This example creates a Firewall and a tag named allow_inbound_cloudflare. Any Droplet with this tag applied to it will only allow inbound connections to ports 80 and 443 from Cloudflare IPs.

module "firewall_inbound_cloudflare" {
  source = "andrewsomething/firewall-cloudflare/digitalocean"

  name   = "inbound-cloudflare"
  tags   = ["allow_inbound_cloudflare"]

resource "digitalocean_tag" "allow_inbound_cloudflare" {
  name = "allow_inbound_cloudflare"

Note: DigitalOcean Firewalls are composable. Creating separate Firewalls for separate concerns is considered a best practice. When using the above example, additional Firewalls should be applied to the Droplets in order to allow for things like inbound SSH access and outbound DNS lookups.


MIT licensed. See LICENSE for full details.

Was this helpful?
Leave a comment

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Publish your Tool on Community

Have you created an Integration, API Wrapper, Service, or other Tool that helps developers build on DigitalOcean? Help users find it by listing it in Community Tools.

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel