Cloud Firewalls

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

Plans and Pricing

DigitalOcean Cloud Firewalls are available at no additional cost.

Regional Availability

Cloud firewalls are available in every region. A cloud firewall’s rules can include Droplets from any datacenters.

Features

Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. Firewalls can be host-based, which are configured on a per-server basis using services like IPTables or UFW. Others, like DigitalOcean Cloud Firewalls, are network-based and stop traffic at the network layer before it reaches the server.

You can apply cloud firewall rules to individual Droplets, but a more powerful option is to use tags. Tags are custom labels that you can apply to Droplets and other DigitalOcean resources. When you add a tag to a firewall, any Droplets with that tag are automatically included in the firewall configuration.

Limits

  • You can have a maximum of 10 Droplets per firewall and 5 tags per firewall. If you have more than 10 Droplets that need the same firewall, tag the Droplets, then add that tag to the firewall.

  • Each firewall can have up to 50 total incoming and outgoing rules.

  • Firewalls affect both public and private network traffic. Rules specific to either must specify the public or private IP range.

  • Firewalls support only ICMP, TCP, and UDP.

  • Firewalls block traffic at the network layer before that traffic reaches your resources. Because of this, traffic logs are not available.