Skip to main content

DigitalOcean Firewalls

Knocknoc can orchestrate DigitalOcean Cloud Firewalls to provide dynamic IP network allowlisting for your Droplets, Load Balancers, and Kubernetes Clusters. Knocknoc manages individual firewall rules, adding and removing source (or destination) IP addresses as users authenticate, providing just-in-time network access.

Agent version 26.01+ is required for this functionality.

DigitalOcean configuration

Create or identify a Firewall

  1. Log in to DigitalOcean
  2. Navigate to "Networking" -> "Firewalls"
  3. Either identify an existing Firewall you would like Knocknoc to manage, or click "Create Firewall"
  4. If creating a new Firewall, provide a meaningful name (e.g. "knocknoc-managed") and assign it to your target resources (Droplets, Load Balancers, or Kubernetes Clusters)
  5. You do not need to manually add rules for the services Knocknoc will manage — Knocknoc will create and remove rules dynamically
  6. If you have existing static rules, these will not be affected by Knocknoc — Knocknoc only manages rules tagged with its own internal identifier

Firewall ID

  1. Navigate to "Networking" -> "Firewalls" and click on your target Firewall
  2. The Firewall ID is the UUID shown in the browser URL bar (e.g. https://cloud.digitalocean.com/networking/firewalls/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
  3. Copy this ID for your Knocknoc configuration

Personal Access Token

You need to create a Personal Access Token with permissions to manage Firewalls and Tags.

  1. Click on "API" in the left-hand navigation (or navigate to "Settings" -> "API")
  2. Under "Personal access tokens", click "Generate New Token"
  3. Provide a meaningful name (e.g. "Knocknoc Firewall Management")
  4. Select "Custom Scopes" and ensure the following permissions are granted:
    • Firewall: Read and Update
    • Tag: Create and Read
    • Droplet: Read
  5. Click "Generate Token"
  6. Copy the token immediately for your Knocknoc configuration. It will only be shown once.

Knoc configuration

DigitalOcean "Active" orchestration

  1. Log in to Knocknoc as an Admin (/admin)
  2. Select Knoc, Create new
  3. Select Firewalls/Appliances
  4. Select "Active", then "DigitalOcean"
  5. Provide the Personal Access Token (created in DigitalOcean, as above)
  6. Provide the Firewall ID (copied from the DigitalOcean dashboard, as above)
  7. Select the Direction — "Inbound" to allowlist source IPs, or "Outbound" to allowlist destination IPs. In most cases, you will want Inbound.
  8. Select the Protocol — TCP, UDP, or ICMP
  9. Provide the Port Range — a single port (e.g. 443), a range (e.g. 8000-9000), or all
  10. You're now ready to test end to end!

Validating

  1. Log in to DigitalOcean and view the target Firewall's rules.
  2. Log in to Knocknoc as a linked user, note the Granted status.
  3. Refresh the DigitalOcean Firewall rules. A new rule matching your configured protocol and port range will appear, with the user's IP address as an allowed source (or destination).
  4. If additional users authenticate, their IP addresses will be added to the same rule.
  5. Logging out will remove the user's IP address from the rule. When the last IP address is removed, the rule itself is cleaned up automatically.

Limits and considerations

Firewall rule limits

DigitalOcean enforces the following limits on Cloud Firewalls:

  • 50 rules maximum per Firewall (inbound + outbound combined). If the Firewall is full, Knocknoc will return an error and will not be able to add new rules.
  • 1,000 addresses maximum per rule source or destination. If a single rule reaches this limit, additional IP addresses cannot be added.

Plan your Firewall usage accordingly — if you have many static rules, consider using a dedicated Firewall for Knocknoc-managed access.

How Knocknoc identifies its rules

Knocknoc uses a "knocknoc" tag in the rule's sources (for inbound) or destinations (for outbound) to identify rules it manages. Any rules without this tag are left untouched. This means your existing manually-created rules are safe and will not be modified by Knocknoc.

Protocol and port per Knoc

Each Knocknoc ACL configuration maps to a single protocol and port range combination. If you need to manage access for multiple services (e.g. TCP/443 and TCP/22), create a separate Knoc for each.

Back to top