How to Utilize DigitalOcean Firewalls for your Droplets

Digital ocean logo

Firewalls are essential for the security of any server. Allowing only the right traffic to the right resource prevents malicious traffic and potential attacks from taking advantage of your unprotected server. DigitalOcean offers virtual machines, called Droplets, which offer their own advantages of configuring, monitoring and maintaining the firewall system over traditional firewalls at the operating system level.

The firewall system is called Cloud firewall. This is a network-level firewall that removes traffic that you don’t want to go to your Droplet. Therefore, potentially malicious traffic will never reach your server. Some of the features of Cloud Firewalls are:

  • Firewall with inbound and outbound state
  • Named services, such as SSH, HTTP (S), MySQL, etc.
  • Custom ports
  • Port ranges
  • Limit by sources, such as droplets, load balancers, VPCs, tags, or specific IPv4 or IPv6 CIDR addresses

Recently, DigitalOcean released Virtual private cloud (VPC) networks. By defining a set of resources in a VPC, all traffic is kept internal to that network, even from other VPC networks. Cloud firewalls work in conjunction with VPCs to further segment and protect traffic. For this article, we will be using two virtual machines configured in the following mansion:

  • BONE: Ubuntu 18.04.3 LTS x64
  • Pricing: Basic VM at $ 5 / month
  • Region: SFO2 region
  • Authentication: SSH keys
  • Keywords: test, ubuntu

Create a cloud firewall

One of the first tasks after creating a Linux virtual machine is to protect the SSH service, as it is often a prime target for malicious actors. Let’s create a simple and easy to use firewall that will limit SSH to our newly created VM only by the IP we designate.

In this example, this will be the IP address 192.168.100.5. After clicking “Create Firewall”, we are presented with a form asking for the name, inbound rules, outbound rules, and the resource to apply the firewall to.

  • Last name: ssh-limit
  • Incoming rules

Create a firewall.

Next, let’s see the exit rules. What you see below are the default rules. This means that all outgoing TCP / UDP traffic is allowed to all locations, as is ICMP traffic. In general, this is fine, depending on your needs. Most server administrators have a higher level of control over outgoing traffic than over incoming traffic. That being said, you can definitely limit that traffic.

Outgoing rules

Finally, let’s apply this new firewall to a newly created VM that we have tagged test. Why apply the firewall to a beacon rather than the Droplet itself? By applying to a tag, this firewall will automatically apply to each new resource tagged appropriately. It automates setup and means important firewall setups won’t be missed.

Apply a new firewall to the newly created VM

After creation, you can see that the firewall is correctly applied to the Droplet, and will now remove all traffic that does not match this pattern, before the traffic reaches the Droplet.

The firewall is properly applied to Droplet and removes all traffic that does not match this pattern before the traffic reaches Droplet

Provision a new droplet

What happens next when we provision a new Droplet and mark this VM with the test Mark? After you provision a new VM and navigate to the networking section of the droplet, you can see that the ssh-limit the firewall we created earlier is automatically applied.

The ssh-limit firewall is automatically applied

Limit internal VPC traffic

What if we have MySQL databases on both of our Droplets that have been provisioned and we want to make sure that traffic doesn’t leak past those resources? To ensure that port 3306 (MySQL) traffic is only allowed from other resources within the VPC, a cloud firewall rule can effectively be applied to the VPC traffic range.

Cloud firewall rule applied to VPC traffic range

If you are using the Managed databases DigitalOcean product, such as a MySQL, PostGres or Redis database, this capability also makes it easier to protect those resources. The ideal configuration would be to contain all the relevant resources in a VPC and then use cloud firewalls to properly protect the traffic between the different resources.

Cloud firewall caveats

There are a few things you should be aware of when using Cloud Firewalls. Some of these are quantity limits on cloud firewalls, and some are product limitations that can affect the way you use cloud firewalls.

  • There is a maximum of 10 droplets added individually to a given firewall.
  • There is a maximum of 5 beacons that can be added to a given firewall, but by using beacons you can bypass the 10 individual droplet rule (i.e. a beacon with 50 droplets will work always with the firewall).
  • A firewall can have a total of 50 inbound and outbound rules combined.
  • Firewalls only support ICMP, TCP, and UDP traffic at this time.
  • Traffic logs will not be available for dropped traffic, as this occurs at the network level.

Conclusion

While this is only an overview of the features and rules that can be set for DigitalOcean Droplets, the combination of a network-level firewall and VPC networks can easily protect your Droplets from malicious traffic. . With the low cost of low power droplets and the ease of configuration, one can quickly see how to use Cloud Firewalls to protect their server resources.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.