How to Add and Remove Droplets from Firewalls

Validated on 27 Mar 2019 • Last edited on 27 Sep 2023 protocol

DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

Add or Remove Droplets from a Firewall Using the CLI

The commands to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the doctl compute droplet list command.

How to add a Droplet to a firewall using the DigitalOcean CLI

To add a Droplet to a firewall via the command-line, follow these steps:

  1. Install doctl, the DigitalOcean command-line tool.

  2. Create a personal access token, and save it for use with doctl.

  3. Use the token to grant doctl access to your DigitalOcean account.

                  doctl auth init

  4. Finally, add a Droplet to a firewall with doctl compute firewall add-droplets. The basic usage looks like this, but you'll want to read the usage docs for more details:

                  doctl compute firewall add-droplets <id> [flags]

    The following example assigns two Droplets to the cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6

                   doctl compute firewall add-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"
How to remove a Droplet to a firewall using the DigitalOcean CLI

To remove a Droplet to a firewall via the command-line, follow these steps:

  1. Install doctl, the DigitalOcean command-line tool.

  2. Create a personal access token, and save it for use with doctl.

  3. Use the token to grant doctl access to your DigitalOcean account.

                  doctl auth init

  4. Finally, remove a Droplet to a firewall with doctl compute firewall remove-droplets. The basic usage looks like this, but you'll want to read the usage docs for more details:

                  doctl compute firewall remove-droplets <id> [flags]

    The following example removes two Droplets from a cloud firewall with the ID f81d4fae-7dec-11d0-a765-00a0c91e6bf6

                   doctl compute firewall remove-droplets f81d4fae-7dec-11d0-a765-00a0c91e6bf6 --droplet-ids "386734086,391669331"

Add or Remove Droplets from a Firewall Using the API

The API calls to add and remove Droplets from a firewall require the Droplet’s ID. To retrieve a list of Droplets and their IDs, use the /v2/droplets endpoint.

How to add Droplets to a firewall using the DigitalOcean API

To add Droplets to a firewall using the DigitalOcean API, follow these steps:

  1. Create a personal access token, and save it for use with the API.

  2. Send a POST request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets

    cURL

    To add Droplets to a firewall with cURL, call:

    
                curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"

    Go

    Go developers can use Godo, the official DigitalOcean V2 API client for Go. To add Droplets to a firewall with Godo, use the following code:

    
                import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.AddDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269) 
}

    Ruby

    Ruby developers can use DropletKit, the official DigitalOcean V2 API client for Ruby. To add Droplets to a firewall with DropletKit, use the following code:

    
                require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.add_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')

    Python

    
                import os
from pydo import Client

client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))

req = {
  "droplet_ids": [
    49696269
  ]
}

resp = client.firewalls.assign_droplets(firewall_id="39fa4gz", body=req)
How to remove Droplets from a firewall using the DigitalOcean API

To remove Droplets from a firewall using the DigitalOcean API, follow these steps:

  1. Create a personal access token, and save it for use with the API.

  2. Send a DELETE request to https://api.digitalocean.com/v2/firewalls/{firewall_id}/droplets

    cURL

    To remove Droplets from a firewall with cURL, call:

    
                curl -X DELETE \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \
  -d '{"droplet_ids":[49696269]}' \
  "https://api.digitalocean.com/v2/firewalls/bb4b2611-3d72-467b-8602-280330ecd65c/droplets"

    Go

    Go developers can use Godo, the official DigitalOcean V2 API client for Go. To remove Droplets from a firewall with Godo, use the following code:

    
                import (
    "context"
    "os"

    "github.com/digitalocean/godo"
)

func main() {
    token := os.Getenv("DIGITALOCEAN_TOKEN")

    client := godo.NewFromToken(token)
    ctx := context.TODO()

    _, err := client.Firewalls.RemoveDroplets(ctx, 'bb4b2611-3d72-467b-8602-280330ecd65c', 49696269)
}

    Ruby

    Ruby developers can use DropletKit, the official DigitalOcean V2 API client for Ruby. To remove Droplets from a firewall with DropletKit, use the following code:

    
                require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)

client.firewalls.remove_droplets([49696269], id: 'bb4b2611-3d72-467b-8602-280330ecd65c')

    Python

    
                import os
from pydo import Client

client = Client(token=os.environ.get("DIGITALOCEAN_TOKEN"))

req = {
  "droplet_ids": [
    49696269
  ]
}

resp = client.firewalls.delete_droplets(firewall_id="39fa4gz", body=req)

Add or Remove Droplets from a Firewall Using the Control Panel

You can modify the Droplets protected by a firewall in the control panel by choosing Networking from the top navigation, then Firewalls. Select the firewall you want to check or modify, then navigate to its Droplets tab.

A firewall’s Droplets tab lists all of all the Droplets protected by the firewall. Droplets added individually are shown on their own line, and Droplets added with a tag are shown below the tag.

To add another Droplet or tag to the firewall, use the Add Droplets button.

To remove a Droplet or tag from a firewall, use its More menu and select Remove.

Firewall more menu open

From the firewall’s Droplets panel, you can see which Droplets are affected by that firewall’s rules. To see all the rules affecting a specific Droplet, you need to view the individual Droplet’s networking page.

Control Panel Blog Pricing Careers Terms Privacy Status API Docs Tutorials Support