Firewalls are critical to the security of all servers. Just allowing the right traffic to the right resource prevents malicious traffic and potential attacks from taking advantage of your unprotected server. DigitalOcean offers virtual machines, so-called drops, which have their own firewall system configuration, monitoring and maintenance advantages over traditional OS-level firewalls.
The firewall system is called Cloud Firewalls. It is a network-level firewall that loses traffic that you do not want to make to your Droplet, and therefore the potentially harmful traffic will never reach your server. Some of the features of Cloud Firewalls are:
- Incoming and outgoing state firewalls
- Named services, such as SSH, HTTP (S), MySQL, etc.
- Custom gates
- Gate areas
- Restrict with sources, such as drops, load balances, VPCs, tags, or specific IPv4 or IPv6 CIDR addresses
DigitalOcean recently released the Virtual Private Cloud (VPC) network. By defining a collection of resources in a VPC, all traffic is kept internally in that network, also from other VPC networks. Cloud Firewalls works with VPC to further segment and protect traffic. For this article, we will use two virtual machines configured in the following mansion:
- THE: Ubuntu 18.04.3 LTS x64
- Pricing: Basic virtual machine at $ 5 / month
- Area: SFO2 Region
- Authentication: SSH keys
Create a Cloud Firewall
After creating a Linux virtual machine, one of the first tasks is to protect the SSH service, as this is often a primary target for malicious actors. Let’s create a simple and easy to use firewall that limits SSH to our newly created virtual machine with only the IP we designate.
In this example, it will be the IP address
192.168.100.5. After clicking on “Create firewall” we get a form where we request the name, incoming rules, outgoing rules and the resource to which the firewall is to be applied.
- Incoming rules
Let’s then look at outgoing rules. What you see below are the standard rules. What this says is that all TCP / UDP outbound traffic is allowed to all sites, as well as ICMP traffic. In general, it’s okay, depending on your needs. Most server administrators have higher control over outgoing traffic rather than incoming. With that said, you can really limit this traffic.
Finally, let’s apply this new firewall to a newly created virtual machine that we have tagged
test. Why apply the firewall on a tag rather than on the Droplet itself? By applying a tag, this firewall will automatically be applied to each new resource that is appropriately tagged. It automates the configuration and means that important firewall configurations will not be missed.
After creation, you can see that the firewall is correctly applied to Droplet and will now release all traffic that does not fit that pattern before the traffic gets to Droplet.
Provision of a new drop
What happens when we provide a new Droplet and tag the virtual machine with it
test notice? After creating a new virtual machine and navigating to the drop section of the network, you can see that
ssh-limit firewall that we previously created is applied automatically.
Limit internal VPC traffic
What if we have MySQL databases on our two drops that have been installed and we want to ensure that traffic does not leak beyond these resources? To ensure that port 3306 (MySQL) traffic is only allowed from other resources within VPC, a cloud firewall rule can actually be applied to the VPC traffic area.
If you use the Managed Databases product from DigitalOcean, such as a MySQL, PostGres or Redis database, this capability also makes it easy to protect these resources. The perfect setting would be to include all the relevant resources in a VPC and then use Cloud Firewalls to properly protect the traffic between the various resources.
Cloud firewall reservation
You need to be aware of a few things when using Cloud Firewalls. Some of these are quantity restrictions for Cloud Firewalls, and others are product restrictions that may affect how you use Cloud Firewalls.
- There are a maximum of ten individually added drops to a particular firewall.
- There are a maximum of 5 tags that can be added to a particular firewall, but by using tags you can get around the ten individual drop rule (ie a tag with 50 drops still works with the firewall).
- A firewall can have a total of 50 combined incoming and outgoing rules.
- Firewalls only support ICMP, TCP, and UDP traffic right now.
- Traffic logs will not be available for lost traffic as this happens at the network level.
Although this is just an overview of functionality and rules that can be defined for DigitalOcean Droplets, the combination of a network-level firewall and VPC network can easily protect your Droplets from malicious traffic. With the low cost of small drops and the simple configuration, you can quickly see how to use Cloud Firewalls to protect your server resources.