Build DigitalOcean Cloud Firewall inbound and outbound rule configurations.
Last verified: May 2026
Build DigitalOcean Cloud Firewall inbound and outbound rule configurations with protocol, port, and source/destination settings.
Required Fields
nameinbound_rulesoutbound_rulesOutput will appear here...DigitalOcean Cloud Firewalls protect Droplets at the infrastructure level — outside the Droplet's own iptables — so a misconfigured rule can lock you out instantly or quietly leave an open port. The DO Cloud Firewall Rule Builder produces validated inbound and outbound rule sets with CIDR sources, protocol selection, port ranges, and tag-based targeting. The output is ready to drop into a Terraform `digitalocean_firewall` resource or the doctl CLI without retyping.
When a Cloud Firewall is attached to a Droplet, all inbound traffic is denied by default and all outbound traffic is allowed by default. You add explicit allow rules for the ports and sources you want to permit; you do not add deny rules. To restrict egress you must add explicit outbound allow rules, after which everything not allowed is denied.
Cloud Firewalls live at the network boundary, so packets that would be denied never reach the Droplet at all — saving CPU and avoiding any host-level misconfiguration. Per-Droplet firewalls still have a role for fine-grained per-process rules, but the perimeter belongs in the Cloud Firewall.
A new junior engineer accidentally opens port 6379 (Redis) to 0.0.0.0/0 on a Droplet that was supposed to be private. By the next morning the Redis instance is mining cryptocurrency. You audit every Droplet, find three more with similar exposure, and use the builder to generate a tag-based firewall that allows Redis only from the `app` tag — never from the public internet. Within an hour the entire fleet is protected by a single firewall policy and a tagging convention.
The builder maintains a schema of valid protocol and port combinations (TCP/UDP/ICMP) for DigitalOcean Cloud Firewalls and validates each rule as you add it. CIDR sources are normalized; tag references are checked against the DO tag naming rules. The output is generated either as a Terraform `digitalocean_firewall` resource block or as a series of `doctl compute firewall add-rules` commands.
Use tags, not Droplet IDs, in firewall rules. Droplet IDs change every time you rebuild; tags stay stable. A firewall rule that targets `tag: web` applies automatically to a replacement Droplet.
Always pair a permissive inbound rule (allow port 80 from 0.0.0.0/0) with a restrictive management rule (allow port 22 from your office CIDR only). The most common breach pattern on DO is SSH exposed to the world on a public-facing Droplet.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.