Firewalls are essential for the security of any server. Allowing only the right traffic to the right resource prevents malicious traffic and potential attacks from taking advantage of your unprotected server. DigitalOcean offers virtual machines, called Droplets, which offer their own advantages of configuring, monitoring and maintaining the firewall system over traditional firewalls at the operating system level.
The firewall system is called Cloud firewall. This is a network-level firewall that removes traffic that you don’t want to go to your Droplet. Therefore, potentially malicious traffic will never reach your server. Some of the features of Cloud Firewalls are:
- Firewall with inbound and outbound state
- Named services, such as SSH, HTTP (S), MySQL, etc.
- Custom ports
- Port ranges
- Limit by sources, such as droplets, load balancers, VPCs, tags, or specific IPv4 or IPv6 CIDR addresses
Recently, DigitalOcean released Virtual private cloud (VPC) networks. By defining a set of resources in a VPC, all traffic is kept internal to that network, even from other VPC networks. Cloud firewalls work in conjunction with VPCs to further segment and protect traffic. For this article, we will be using two virtual machines configured in the following mansion:
- BONE: Ubuntu 18.04.3 LTS x64
- Pricing: Basic VM at $ 5 / month
- Region: SFO2 region
- Authentication: SSH keys
Create a cloud firewall
One of the first tasks after creating a Linux virtual machine is to protect the SSH service, as it is often a prime target for malicious actors. Let’s create a simple and easy to use firewall that will limit SSH to our newly created VM only by the IP we designate.
In this example, this will be the IP address
192.168.100.5. After clicking “Create Firewall”, we are presented with a form asking for the name, inbound rules, outbound rules, and the resource to apply the firewall to.
- Last name:
- Incoming rules
Next, let’s see the exit rules. What you see below are the default rules. This means that all outgoing TCP / UDP traffic is allowed to all locations, as is ICMP traffic. In general, this is fine, depending on your needs. Most server administrators have a higher level of control over outgoing traffic than over incoming traffic. That being said, you can definitely limit that traffic.
Finally, let’s apply this new firewall to a newly created VM that we have tagged
test. Why apply the firewall to a beacon rather than the Droplet itself? By applying to a tag, this firewall will automatically apply to each new resource tagged appropriately. It automates setup and means important firewall setups won’t be missed.
After creation, you can see that the firewall is correctly applied to the Droplet, and will now remove all traffic that does not match this pattern, before the traffic reaches the Droplet.
Provision a new droplet
What happens next when we provision a new Droplet and mark this VM with the
test Mark? After you provision a new VM and navigate to the networking section of the droplet, you can see that the
ssh-limit the firewall we created earlier is automatically applied.
Limit internal VPC traffic
What if we have MySQL databases on both of our Droplets that have been provisioned and we want to make sure that traffic doesn’t leak past those resources? To ensure that port 3306 (MySQL) traffic is only allowed from other resources within the VPC, a cloud firewall rule can effectively be applied to the VPC traffic range.
If you are using the Managed databases DigitalOcean product, such as a MySQL, PostGres or Redis database, this capability also makes it easier to protect those resources. The ideal configuration would be to contain all the relevant resources in a VPC and then use cloud firewalls to properly protect the traffic between the different resources.
Cloud firewall caveats
There are a few things you should be aware of when using Cloud Firewalls. Some of these are quantity limits on cloud firewalls, and some are product limitations that can affect the way you use cloud firewalls.
- There is a maximum of 10 droplets added individually to a given firewall.
- There is a maximum of 5 beacons that can be added to a given firewall, but by using beacons you can bypass the 10 individual droplet rule (i.e. a beacon with 50 droplets will work always with the firewall).
- A firewall can have a total of 50 inbound and outbound rules combined.
- Firewalls only support ICMP, TCP, and UDP traffic at this time.
- Traffic logs will not be available for dropped traffic, as this occurs at the network level.
While this is only an overview of the features and rules that can be set for DigitalOcean Droplets, the combination of a network-level firewall and VPC networks can easily protect your Droplets from malicious traffic. . With the low cost of low power droplets and the ease of configuration, one can quickly see how to use Cloud Firewalls to protect their server resources.