Firewalls are critical to the security of a server. Routing the right traffic to the right resource will prevent malicious traffic and potential attacks from exploiting your unprotected server. DigitalOcean offers virtual machines, so-called droplets, with their own firewall system configuration, monitoring and maintenance advantages compared to conventional firewalls at the operating system level.
The firewall system is called Cloud Firewalls. It̵
- Incoming and outgoing stateful firewalls
- Named services like SSH, HTTP (S), MySQL, etc.
- Custom ports
- Port ranges
- Limitation by sources such as droplets, load balancers, VPCs, tags or specific IPv4 or IPv6 CIDR addresses
Recently, DigitalOcean released VPC (Virtual Private Cloud) networks. By defining a collection of resources in a VPC, all traffic within that network is stored, including from other VPC networks. Cloud firewalls work with VPCs to further segment and protect traffic. This article uses two virtual machines configured as follows:
- THE: Ubuntu 18.04.3 LTS x64
- Pricing: Base VM for $ 5 / month
- region: SFO2 region
- Authentication: SSH key
Build a cloud firewall
After creating a Linux VM, one of the first things to do is to protect the SSH service as this is often a primary target for malicious actors. Let’s create a simple and easy-to-use firewall that will restrict SSH to our newly created VM based only on the IP we set.
In this example this is the IP address
192.168.100.5. After clicking Create Firewall, a form will appear asking for the name, inbound rules, outbound rules, and the resource that the firewall should be applied to.
- Incoming rules
Next, let’s look at the outbound rules. What you see below are the standard rules. This means that all outbound TCP / UDP traffic is allowed in all locations, as is ICMP traffic. In general, this is fine depending on your needs. Most server administrators have more control over outbound traffic than inbound. That being said, you can certainly limit this traffic.
Finally, let’s apply this new firewall to a newly created VM that we’ve tagged
test. Why should the firewall be applied to a day rather than the droplet itself? Applying to a day, this firewall is automatically applied to any new resource that is marked accordingly. It automates the configuration and means that important firewall configurations are not overlooked.
Once created, you can determine that the firewall has been properly applied to the droplet and is now deleting all traffic that does not match this pattern before the traffic reaches the droplet.
Providing a new drop
What then happens when we deploy a new droplet and mark this VM with the?
test Label? After you’ve provisioned a new VM and navigated to the droplet’s network area, you can see the
ssh-limit The previously created firewall is automatically applied.
Limiting internal VPC traffic
What if we have MySQL databases on our two deployed droplets and we want to make sure the traffic doesn’t go beyond those resources? To ensure that port 3306 (MySQL) traffic is only allowed from other resources within the VPC, a cloud firewall rule can actually be applied to the VPC traffic area.
If you use the Managed Databases product from DigitalOcean, e.g. For example, a MySQL, PostGres or Redis database, you can use this function to protect these resources without any problems. The ideal setup would be to contain all relevant resources in a VPC and then use cloud firewalls to properly protect traffic between the various resources.
Precautions for the cloud firewall
There are a few things to keep in mind when using cloud firewalls. Some of these are quantity restrictions on cloud firewalls, others are product restrictions that can affect the use of cloud firewalls.
- There are a maximum of 10 individually added droplets to a given firewall.
- There are a maximum of 5 tags that can be added to a given firewall. However, using tags allows you to bypass the 10 individual droplet rule (i.e. a 50 droplet tag will still work with the firewall).
- A firewall can contain a total of 50 combined rules for incoming and outgoing messages.
- Firewalls currently only support ICMP, TCP, and UDP traffic.
- Traffic logs are not available to the interrupted traffic as this is done at the network level.
Although this is just an overview of the functions and rules that can be defined for DigitalOcean Droplets, the combination of a network-level firewall and VPC networks can easily protect your droplets from malicious traffic. With the low cost of low power droplets and ease of configuration, it is easy to see how cloud firewalls are being used to protect their server resources.