Creating Bi-Directional Firewall Policies

Updated by Richard Seroter on Dec 12, 2012

Description:

CenturyLink Cloud Platform firewall policies make it simple to connect networks within a given account or across accounts. Firewall policies are inherently one-way, but it is very straightforward to craft a pair of policies that enable bi-directional communication. This walkthrough builds upon the servers, networks and policies built in the KB article entitled Connecting Data Center Networks Through Firewall Policies.

Steps:

1. Confirm that you have two servers in two different networks.

  • In the KB article reference above, there was a parent account and a sub-account, and a network and server in each. Below, see that two distinct networks exist in this demonstration.
    firewalloverview01.png
    firewalloverview02.png
  • There are also two servers in this demonstration, each on a different network.
    firewalloverview05.png

2. Build a pair of policies that enable network communication in both directions.

  • Check the existing firewall policies by navigating to the Firewall menu item under the Network menu. From the previous KB article walkthrough, there should be a single firewall policy that makes it possible for the server in the parent account's network to ping a server in the sub-account's network.
    firewalloverview16.png
  • This traffic is one-way only. To confirm this, attempt to ping the server in the parent account from the server in the sub-account. Notice that the request times out because network traffic is not allowed from the child network to the parent.
    firewalloverview19.png
  • In order to allow servers in the sub-account's network to communicate with servers in the parent account's network, another firewall policy must be created.
  • Switch the Source Account and Destination Account values at the top of the page to reflect the sub-account as the source and parent account as the destination.
    firewalloverview18.png
  • Click the add policy button and add a firewall policy that allows traffic from (restricted) IP addresses in the sub-account network to (restricted) IP addresses in the parent account network.
    firewalloverview20.png
  • Save the firewall policy.

3. Confirm that the policies are working.

  • From the server in the sub-account's network, once again attempt to ping the server in the parent account's network.
    firewalloverview21.png
  • As expected, the traffic is now configured to travel in both directions between the networks. So in order to create bi-directional network communication, create two firewall policies overall.

Customer Support

Can’t find what you need?
Give us a call.

1.888.638.6771

M – F, 8am to 6pm