Question

I want to make droplet can only be accessed by Managed Loadbalancer + ssh (anywhere) and by using ufw rules.

I want to make droplet can only be accessed by managed Loadbalancer internal IP + and ssh (anywhere) and by using ufw rules, how can I achieved that? Nginx should be not harmed by that action.

Purpose to stop DDOS targeting directly to my droplet. I have used cloudflare to managed DDOS from Loadbalancer IP but I need to protect my individual droplet.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev

Site Moderator

• October 23, 2023

Accepted Answer

Hi there,

What you could do is to use a managed Cloud firewall and lock down all of the public access to your Droplets and only allow traffic within the VPC, that way your Droplets will not be accessible directly from the outside world:

https://docs.digitalocean.com/products/networking/firewalls/

Also speaking of DDoS protection, DigitalOcean just anounced their new DDoS protection which you could also use:

https://www.digitalocean.com/products/ddos-protection

If you still want to use ufw instead of a cloud firewall, what you could do is:

Allow SSH traffic and disable all other incoming traffic:

sudo ufw allow ssh
sudo ufw default deny incoming
sudo ufw default allow outgoing

Then allow the Load Balancer IPs for port 80 and 443 if needed:

ufw allow from loadbalancer.private.ip to any port 80
ufw allow from loadbalancer.public.ip to any port 80
ufw allow from loadbalancer.private.ip to any port 443
ufw allow from loadbalancer.public.ip to any port 443

Let me know if you have any questions!

Best,

Bobby