create groups where I can add droplets, for exaple Galera droplets to one group, front-end droplets to other group and for each group there will be setting which port can be accessed from which IP as amazon offers
I thought that It will be better as firewall setting before VPS, not in VPS. I would go for it even if it was for extra money.
I've been faced with the same problem and I'm building something to help with not just the firewalls/security groups but making securing droplets much easier for devs. Check out lockdown.io.
You won't be notified about changes to this idea.