Creating Bi-Directional Firewall Policies

Updated by Richard Seroter on Oct 26, 2021
Article Code: kb/1021

Description:

Lumen Cloud Platform firewall policies make it simple to connect networks within a given account or across accounts. Firewall policies are inherently one-way, but it is very straightforward to craft a pair of policies that enable bi-directional communication. This walkthrough builds upon the servers, networks and policies built in the KB article entitled Connecting Data Center Networks Through Firewall Policies.

Steps:

1. Confirm that you have two servers in two different networks.

  • In the KB article reference above, there was a parent account and a sub-account, and a network and server in each. The two servers operate on different networks.

2. Build a pair of policies that enable network communication in both directions.

  • Check the existing firewall policies by navigating to the Firewall menu item under the Network menu. From the previous KB article walkthrough, there should be a single firewall policy that makes it possible for the server in the parent account's network to ping a server in the sub-account's network.
  • This traffic is one-way only. To confirm this, attempt to ping the server in the parent account from the server in the sub-account. Notice that the request times out because network traffic is not allowed from the child network to the parent.
  • In order to allow servers in the sub-account's network to communicate with servers in the parent account's network, another firewall policy must be created.
  • Switch the Source Account and Destination Account values at the top of the page to reflect the sub-account as the source and parent account as the destination.
  • Click the add policy button and add a firewall policy that allows traffic from (restricted) IP addresses in the sub-account network to (restricted) IP addresses in the parent account network.
  • Save the firewall policy.

3. Confirm that the policies are working.

  • From the server in the sub-account's network, once again attempt to ping the server in the parent account's network.
  • As expected, the traffic is now configured to travel in both directions between the networks. So in order to create bi-directional network communication, create two firewall policies overall.