List of Digital Ocean IPs CIDRs | Voters

List of Digital Ocean IPs CIDRs

complete

David H

It would be nice to add Digital Ocean IPs to firewall rule(s) so that we could allow Droplet Console to work while still protecting SSH from the wider Internet.

August 16, 2023

Dan Brian

marked this post as

complete

Dan Brian

Hi David H, we publish our IP ranges as a CSV file here: https://digitalocean.com/geo/google.csv

Hope this helps. Thanks!

David H

Dan Brian: Thank you!

Brandon B

Dan Brian: Wouldn't this open this up for ANY DO droplet, including other customers using those regions? Or are these ranges Droplet Console specific? If this is an official list that is narrowly scoped, please include a link over in the documentation. Otherwise I think a security warning should come with this list.

https://docs.digitalocean.com/products/droplets/how-to/connect-with-console/

Petr Novak

Dan, I'm not sure what I'm doing wrong, but I just can't find the IP addresses (3 IPs) on that list used by Droplet Console to ssh to my droplet. But at the same time I can find all my droplet addresses there.

Could you tell me in which range can I find 198.211.111.194/32? Because I don't think it's in 198.211.110.0/24 nor in 198.211.112.0/22. But from what I could find on the Internets 198.211.111.194/32 has been in use for ssh by DO for quite some time (several years).

Dan Brian

Petr Novak Hi Petr, what exactly are you trying to accomplish? Create firewall rules?

Petr Novak

Hi Dan, yes. I want to have my droplet's ssh port closed for all but certain IP addresses. But I can't find an authoritative source of DO's IP addresses used for Droplet Console.
This idea mentions 3 IP addresses used by Droplet Console, from my testing it seems these 3 addresses are still being used.
https://ideas.digitalocean.com/network/p/firewall-exception-for-droplet-console-ssh
But none of those 3 addresses is on the shared list, so I assume those addresses on that list are IPs reserved for "customers", not for DO "services".

Dan Brian

Petr Novak I just spoke to our Support team about this to get a better answer. There are two consoles: the Recovery Console, and the Droplet Console. 
* The Recovery Console should work regardless of any firewall rule you put in place. 
* Unfortunately, in order for the Droplet Console to be able to connect to the Droplet, you must leave port 22 open in your firewall, and in the case of using a Cloud Firewall, you should allow all IPv4 and IPv6 in the inbound rule for port 22. We do not have defined CIDR from which the Droplet Console connects.
My apologies for the incorrect information above. I was under the assumption that those IP addresses were used by DO services to connect to Droplets and that is not the case it sounds like. I'll have to dig into this and get it better documented.
Thanks for reaching out. We'll get this stuff updated.