DigitalOceanTutorial2 min read

How Do I Configure a DigitalOcean Firewall for My Droplet?

Lock down your Droplet with DigitalOcean Cloud Firewalls — allow SSH and web traffic while blocking everything else.

Server racks and cloud infrastructure

Cloud Firewalls vs UFW

DigitalOcean Cloud Firewalls filter traffic before it reaches your Droplet — at the network edge. This is more efficient than software firewalls like UFW because malicious packets never consume your server's CPU. You can use both together for defense in depth.

Step 1 — Create a Firewall

In the control panel, go to Networking → Firewalls and click Create Firewall. Give it a name like web-server-fw.

Step 2 — Define Inbound Rules

Add rules for traffic you want to allow:

  • SSH (22) — Source: your IP only (not "All IPv4") for maximum security
  • HTTP (80) — Source: All IPv4, All IPv6
  • HTTPS (443) — Source: All IPv4, All IPv6

Restricting SSH to your home or office IP prevents brute-force login attempts from the entire internet.

Step 3 — Define Outbound Rules

By default, all outbound traffic is allowed. For most web servers this is fine — your app needs to reach package repos, APIs, and DNS servers. Lock outbound rules down only if you have strict compliance requirements.

Step 4 — Apply to Droplets

Under Apply to Droplets, select the Droplet(s) this firewall protects. You can tag Droplets (e.g. production) and apply the firewall to the entire tag — new Droplets with that tag inherit the rules automatically.

Step 5 — Test Connectivity

After applying the firewall, verify from your local machine:

ssh root@YOUR_DROPLET_IP        # should work (if your IP is allowed)
curl http://YOUR_DROPLET_IP     # should return your site
curl https://YOUR_DROPLET_IP    # should work if SSL is configured

Try SSH from a different network (phone hotspot) — it should be blocked if you restricted SSH to a single IP.

Combine with UFW on the Droplet

For an extra layer, enable UFW inside the Droplet too:

sudo ufw default deny incoming
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable

Common Rules by Use Case

  • Web server: 22 (restricted), 80, 443
  • Database server: 22 (restricted), 5432 from app Droplet only
  • VPN/bastion: 22 from anywhere, all other ports blocked

Cloud Firewalls are free and apply instantly — there is no reason to run a public Droplet without one.

More DigitalOcean tutorialsRead the blog →