DigitalOcean Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.
Firewalls place a barrier between your servers and other machines on the network to protect them from external attacks. Firewalls can be host-based, which are configured on a per-server basis using services like IPTables or UFW. Others, like DigitalOcean Cloud Firewalls, are network-based and stop traffic at the network layer before it reaches the server.
You can apply cloud firewall rules to individual Droplets, but a more powerful option is to use tags. Tags are custom labels that you can apply to Droplets and other DigitalOcean resources. When you add a tag to a firewall, any Droplets with that tag are automatically included in the firewall configuration.