We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Create Your First DigitalOcean Cloud Firewall

PostedJune 6, 2017 12.7k views Firewall DigitalOcean Security Ubuntu Ubuntu 16.04

Introduction

Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. Firewalls can be host-based, which are configured on a per-server basis using services like IPTables or UFW. Others are network-based, designed to stop traffic before it ever reaches the individual machine. DigitalOcean Cloud Firewalls, available in all regions at no charge, provide a network-based, stateful firewall service for your DigitalOcean Droplets. They block all traffic that isn't expressly permitted by a rule. They're designed to be easy to configure, quick to apply, and automation-friendly.

In this tutorial, we will use the DigitalOcean Control Panel to create a basic Cloud Firewall to block all incoming connections except port 22 for SSH and 80 for HTTP. Then we'll expand the example infrastructure to include a Load Balancer and demonstrate how to limit incoming traffic by the originating source. For a complete overview Cloud Firewall features, see the Introduction to DigitalOcean Cloud Firewall guide.

Step 1 — Creating Droplets

To begin, we'll create two Droplets and use a cloud-config script in the "User data" field to install Nginx and give each one a unique home page.

In the DigitalOcean console, click "Create Droplet." We're creating ours with the following attributes:

  • Image: Ubuntu 16.04 (Default)
  • Size: 512 MB
  • Region: San Francisco 1
  • Additional options: [x] User data.
User data
#cloud-config
packages:
 - nginx
runcmd:
 - export HOSTNAME=$(cat /etc/hostname)
 - echo "<h1>$HOSTNAME</h1>" > /var/www/html/index.html
  • Droplets: 2
  • Hostname: web-01 and web-02

Note: You can see an image of the creation form with all the recommended settings selected here. Your Create Droplet screen will look different in the SSH keys area, especially if you've never uploaded keys before. You can learn more about using SSH keys to avoid mailing passwords when you create Droplets in the How To Use SSH Keys with DigitalOcean Droplets guide, and it won't affect the outcome of this tutorial.

Once we complete the form, we'll click "Create." Then, when the Droplets are ready, we'll visit each one in a web browser to verify that Nginx is running. Note that there is a slight delay between the Droplet IP address being listed in the Control Panel and Nginx getting installed and configured.

Each server should display its hostname:

Screenshot of web-01 index page

Screenshot of web-01 index page

Now that we're serving web pages on each of our Droplets, we'll turn our attention to the Firewall.

Step 2 — Creating a Firewall

The Droplets are completely open when they’re created, allowing all inbound and outbound connections. The Cloud Firewall reverses this, denying all inbound and outbound connections not explicitly permitted by a rule

Note: To create a Cloud Firewall, at least one rule must be defined.

In order for the server to be accessible and work as expected, when you create a Cloud Firewall using the Control Panel, it suggests four rules which will:

  • Allow inbound SSH connections on port 22
  • Allow all outbound connections

We'll take a moment to explore these defaults and verify they block Nginx as expected. Then we'll add a rule to allow users to access the servers with a web browser.

Using the Default Rules

From the DigitalOcean control panel, we'll navigate to Networking > Firewalls and click "Create Firewall":

Screenshot of Networking > Firewalls when no firewalls exist

We’ll enter "First-Firewall" in the “Name” field, add web-01 and web-02 in “Apply to Droplets”, and then click "Create Firewall:"
Screenshot of Create Firewalls form

This will take us back to the Firewalls overview page, which provides summary information, including how many Droplets are associated with the firewall, how many rules it has, and when it was created.

Screenshot of Networking > Firewalls with First-Firewall displayed

If we click its name, First-Firewall, and then click "Droplets" we can see which specific Droplets are affected by the Firewall. From here, we can also add and remove them:

Screenshot of First-Firewall Droplets tag

Now that we've configured the Firewall and applied its rules, we'll visit the servers in another browser window. The browser will try to load the page, but this time our Firewall will block access and eventually, instead of a web page displaying the host name, we'll receive a message like the one below. Note that the actual content of the message will vary depending on the browser and operating system:

Screenshot of browser timeout page

This verifies the Firewall blocked incoming HTTP connections.

We’ll also verify that we can connect to the server by opening a terminal and connecting with SSH. Be sure to substitute the username and IP address for your servers.

  • ssh root@203.0.113.1

We should connect without a problem because it is explicitly allowed by the default inbound rule.

Allowing Incoming HTTP Connections

To allow incoming HTTP connections, we'll return to the control panel and navigate to the First Firewall's Rules page (Networking > Firewalls > First-Firewall). In the Inbound Rules section, we'll open the "New rule" dropdown, select "HTTP", and click "Save".
Screenshot of Inbound Rules with HTTP added

This automatically configures an HTTP rule that allows incoming TCP connections on port 80, the default HTTP port.

When we visit our server in a web browser, we'll see the default Nginx page again:

Screenshot of web-01 index page

Screenshot of web-01 index page

In this section we've created and applied a Cloud Firewall that allows incoming TCP connections from anywhere to port 22 for SSH and on port 80 for HTTP. We've made no changes to the Outbound Rules which permit all connections initiated from the Droplet on all ports to all destinations.

In the next section, we'll add a DigitalOcean Load Balancer to our two Droplets to illustrate how we can further protect our infrastructure by limiting incoming traffic to a specific source.

Step 3 — Adding a DigitalOcean Load Balancer

Load Balancers help spread traffic across multiple servers, making sure that if one server goes down, others are still available. We're going to create a DigitalOcean Load Balancer and put it in front of our two web servers. Then, we'll lock down access to the web servers by editing our Firewall's HTTP rule so that it will only allow incoming connections from the Load Balancer.

Note: Load Balancers require all Droplets to be located in a single data center, and Droplets are either added individually by name or by the addition of a single tag. Droplets with that tag in other data centers will be ignored by the Load Balancer.

Creating the Load Balancer

To create the Load Balancer, we'll navigate to Networking, then Load Balancers, where we'll click "Create Load Balancer". On that screen, we'll name it "First-Firewall-LB" and add our two Droplets. This will auto-select the data center where the Droplets are located. We'll accept the default Forwarding rule that directs incoming HTTP connections on port 80 to the backend Droplets over port 80 and leave the Advanced settings as-is, then click the button to create it.

enter image description here

Once the Load Balancer has been created, we can visit its IP address in a web browser and see the first server's content.

Screenshot of web-01 with load balancer IP displayed in location bar

When we reload the page, we'll see the second server's content:
Screenshot of web-02 with load balancer IP displayed in location bar

However, visitors could circumvent the load balancing by visiting the servers directly at their address. Not only does that mean that we could lose the advantage of distributing traffic, it also means that port 80 is open to any TCP connections, providing a possible entry point for intruders.

To prevent this, we'll edit our Firewall rule so that only connections from the Load Balancer are permitted, ensuring the Load Balancer is between our servers and the Internet in general.

Note: DigitalOcean Load Balancers are automatically firewalled. Incoming connections are only allowed for the protocols and ports we configure, and outbound connections are only permitted to Droplets we've added on the ports we configure.

Restrict Incoming Connections to the Load Balancer

We'll navigate back to our First-Firewall (Networking > Firewalls > First-Firewall) to restrict the incoming connections to our web servers to the Load Balancer. Under the port 80 rule’s "More" link, we'll select "Edit Rule."

Screenshot of Edit Rule on More dropdown

In the "Sources" field, we'll delete the existing values and add the First-Firewall-LB so that the Load Balancer the only thing listed:

Screenshot of Inbound Rule with First-Firewall-LB selected

Then, we'll click Save and test our work. We should still be able to reach both servers by visiting the Load Balancer IP address, then reloading the page:

Screenshot of web-01 with load balancer IP displayed in location bar
Screenshot of web-02 with load balancer IP displayed in location bar

However, now when we visit each web server by its address, the connection should time out:

Screenshot of web-01 with browser time out page
The Load Balancer makes our infrastructure more highly available by distributing the load. It also lets us scale up or scale down resources. In our next and final step, we'll demonstrate how to use a tag to make scaling easier.

Step 4 — Using Tags

So far, we've added individual Droplets to the Firewall and the Load Balancer. In this section, we'll explore how to use a tag to manage the relationships between Droplets, the Load Balancer, and the Firewall. Because we can tag Droplets when they're created, we'll be able to use our Firewall and Load Balancer at the beginning of a Droplet's existence.

Tagging the Droplets

First, we'll add tags to our two web servers. To do so, we'll navigate to the main Droplets page. For web-01 we'll open the "More" menu and select "Add tags."

Screenshot of Droplet More menu with Add tags highlighted

Then, we'll type First-Firewall in the “Edit Tags” field that opens. Since it's a new tag, we'll need to type the whole thing and won't receive any suggestions:

Screenshot of Edit Tags box

When we click "Save Tags", the tag will be created and applied. We'll repeat this step for web-02. Now that the tag exists, when we type the part of its name, it will appear on a menu which also displays the number of Droplets currently tagged:

Screenshot of Add Tags box

We'll select "First-Firewall" from the list, then click "Save Tags".

Screenshot of tagged Droplets

Now that both of our Droplets are tagged, we'll adjust the Load Balancer and Firewall to use the new tag instead of the individual Droplet names.

Editing the Load Balancer

We'll return to Networking > Load Balancers and click "First-Firewall-LB." Firewalls require that any associated Droplets are removed before switching to tags, so we're going to remove the Droplets now. This will cause a slight interruption of service between the removal of the Droplets and the addition of the tag, so we'd typically want to create the tag, add it to the Load Balancer when we create it, then add Droplets.

Screenshot of First-Firewall-LB with Remove highlighted

When both of the Droplets have been removed, we'll click "Add Droplets" and add the First-Firewall tag for Droplet selection:

Screenshot of Add Droplets with First-Firewall tag highlighted

Now, any Droplet tagged with "First-Firewall" will automatically be behind the Load Balancer.

Adding a Tag to the Firewall

While Load Balancers require all Droplets to be located in a single data center and added with a single tag, Firewall rules can apply to Droplets across both data centers and regions. This allows us to add the tag first, then remove the individual Droplets, avoiding any interruption in the Firewall rules.

Note: When you've completed this tutorial, you can learn more about strategically using tags in the guide, How to Organize DigitalOcean Cloud Firewalls

We'll return to our First-Firewall (Networking > Firewalls > First-Firewall), then select the “Droplets” tab and click "Add Droplets."

Screenshot First-Firewall with Add Droplets highlighted

We'll start typing the tag name, then select it from the list:

Screenshot of First-Firewall-LB with Remove highlighted

When we click "Add Droplet," we'll be returned to the overview screen and can see the Droplets are present twice, once because we added them by name, and then again because they are members of the First-Firewall tag.

Screenshot of First-Firewall Droplets tab with both Droplets and Tagged Droplets displayed

Now that we've added the tag, we'll remove the name-based Droplet entries by clicking each one's "More" link, then "Remove." The final screen should show the Tag we added and the Droplets with that tag:

Screenshot of First-Firewall Droplets tab with only tagged Droplets listed

Now, any Droplet tagged with "First-Firewall" will automatically be inaccessible except for:

  • HTTP requests from the Load Balancer.
  • SSH connections from anywhere.

We'll confirm this in our final step when we tag a Droplet at creation.

Step 5 — Adding a New Droplet

Using tags allows us to automatically add new Droplets to the Load Balancer and Firewall when we first create them. We'll demonstrate this by creating a new Droplet in the same data center as the Load Balancer, including the "User data" to install the web server, and adding a tag:

  • Image: Ubuntu 16.04 (Default)
  • Region: San Francisco 1
  • Additional options: [x] User data.
User data
#cloud-config
packages:
 - nginx
runcmd:
 - export HOSTNAME=$(cat /etc/hostname)
 - echo "<h1>$HOSTNAME</h1>" > /var/www/html/index.html
  • Hostname: web-03
  • Tag: First-Firewall

To add the tag, click the link below the hostname:

Screenshot highlighting Add Tags link

This will open a text field where we can select our existing tag and apply it:

Screenshot with First-Firewall ta selected and Create highlighted
Finally, we’ll click “Create.”

Once the Droplet is created, we'll verify that direct TCP connections on port 80 are already blocked by visiting the server at its IP address.
Note: When the Droplet creation is complete, if the tag doesn’t appear in the “Tags” column, reload the page in your browser.

After a while, the page should time out:

Screenshot of web-03 time out

After a couple of minutes, the new Droplet should available as part of the load balanced pool. To verify this, we'll visit the Load Balancer IP address and reload the page. If we reload the page two times, we should see its unique content.

Screenshot of web-03 time out

To remove a resource from the Load Balancer and Firewall, we would untag the Droplet itself, rather than going to the Load Balancer and then the Firewall.

Conclusion

In this tutorial, we demonstrated how to use the DigitalOcean Control Panel to add individual Droplets to Firewalls, how to restrict a firewall rule to a Load Balancer, and how to use Tags in order to add Droplets to both the Firewall and the Load Balancer at creation.

To learn more about organizing and managing your infrastructure with Cloud Firewalls, see these additional resources:

16 Comments

Creative Commons License