This is a sub-article. To go back to the main article, click here.

If you use Terraform, I highly recommend this module which simplifies the firewall deployment process.

For DigitalOcean, follow these steps for firewalling Cloudflare:

Via Web interface:

  1. go to Networking -> Firewalls ->new (or click this link)
  2. For the name, enter something like "Cloudflare"
  3. remove all of the default inbound and outbound rules
  4. create a new inbound rule for HTTPS
  5. in the "sources" box, delete the existing entries
  6. go to and copy-and-paste every single IP range (v4 and v6) into the sources box individually. Do this for any other ports you may want to use with Cloudflare.

I understand adding all of the Cloudflare IPs manually may be tedious, but this is a limitation of DigitalOcean.

After that, feel free to apply it to droplets and create the firewall.

Via command line:

doctl compute firewall create --name cloudflare --inbound-rules protocol:tcp,ports:443,address:,address:,address:,address:,address:,address:,address:,address:,address:,address:,address:,address:,address:,address:,address:2400:cb00::/32,address:2606:4700::/32,address:2803:f800::/32,address:2405:b500::/32,address:2405:8100::/32,address:2a06:98c0::/29,address:2c0f:f248::/32