doctl-databases-firewalls

Run a doctl databases firewalls command with an access token

$ doctl [[d|databases]] [[fw|firewalls]] [command] [[-t|--access-token]] [access_token]

$ doctl [[d|databases]] [[fw|firewalls]] [[ls|list]]

$ doctl [[d|databases]] [[fw|firewalls]] [[a|append]] [database_id] --rule [droplet|k8s|ip_addr|tag|app]:[value]

$ doctl [[d|databases]] [[fw|firewalls]] [[rm|remove]] [database_id] [rule_uuid]

doctl databases firewalls <subcommand> <cluster-id> [flags]<br>Subcommands: create, delete, get, list, update

--async
    Return immediately without waiting for completion

--format string
    Columns for output (comma-separated); default: "ID,ClusterID,Status,InboundRulesCount,OutboundRulesCount"

--help, -h
    Help for firewalls

--inbound-rules-file file
    Path to JSON file with inbound rules array (required for create/update)

--no-header
    Hide headers in output tables

--outbound-rules-file file
    Path to JSON file with outbound rules array

--verbose [level]
    Enable verbose logging (0-3)

The doctl databases firewalls command is a subcommand of the DigitalOcean CLI tool doctl, used to manage firewall configurations for Managed Databases. Managed Databases are cloud-hosted PostgreSQL, MySQL, or Redis clusters that require firewall rules to control inbound and outbound network traffic.

Firewall rules define allowed sources such as Droplets (by ID), Kubernetes clusters, tags, VPC networks, or other Cloud Firewalls. Each database cluster has a single firewall resource, which can be created, retrieved, listed, updated, or deleted via this command's subcommands.

This enables secure access control without manual server configuration. Rules are specified in JSON files detailing protocol (TCP/UDP/ICMP), ports, and sources. For example, allow TCP port 5432 from a specific Droplet ID.

Authentication requires a DigitalOcean API token set via doctl auth init. Operations are asynchronous by default for create/update, with --async flag for non-blocking execution. List shows firewalls across accessible clusters.

Ideal for IaC workflows with Terraform or Ansible, ensuring databases are isolated from unauthorized access. Supports verbose logging for troubleshooting.

Requires DigitalOcean API token; JSON rules must match schema (type: droplet|k8s-cluster|tag|cloud-firewall-id|vpc); one firewall per cluster; changes propagate in ~1-2 minutes.

[{"type":"droplet","droplet_ids":[123456],"ports":"5432"}]

create/list/get: Manage cluster firewalls by ID.
delete: Removes all rules, exposing cluster.

Introduced in doctl v1.40.0 (2020) with Managed Databases launch; enhanced in v1.80+ for VPC/Cloud Firewall support; aligns with DigitalOcean API v2.

doctl(1), iptables(8), ufw(8)