Creating Bi-Directional Firewall Policies

Updated by Richard Seroter on Dec 12, 2012


CenturyLink Cloud Platform firewall policies make it simple to connect networks within a given account or across accounts. Firewall policies are inherently one-way, but it is very straightforward to craft a pair of policies that enable bi-directional communication. This walkthrough builds upon the servers, networks and policies built in the KB article entitled Connecting Data Center Networks Through Firewall Policies.


1. Confirm that you have two servers in two different networks.

  • In the KB article reference above, there was a parent account and a sub-account, and a network and server in each. Below, see that two distinct networks exist in this demonstration.
  • There are also two servers in this demonstration, each on a different network.

2. Build a pair of policies that enable network communication in both directions.

  • Check the existing firewall policies by navigating to the Firewall menu item under the Network menu. From the previous KB article walkthrough, there should be a single firewall policy that makes it possible for the server in the parent account's network to ping a server in the sub-account's network.
  • This traffic is one-way only. To confirm this, attempt to ping the server in the parent account from the server in the sub-account. Notice that the request times out because network traffic is not allowed from the child network to the parent.
  • In order to allow servers in the sub-account's network to communicate with servers in the parent account's network, another firewall policy must be created.
  • Switch the Source Account and Destination Account values at the top of the page to reflect the sub-account as the source and parent account as the destination.
  • Click the add policy button and add a firewall policy that allows traffic from (restricted) IP addresses in the sub-account network to (restricted) IP addresses in the parent account network.
  • Save the firewall policy.

3. Confirm that the policies are working.

  • From the server in the sub-account's network, once again attempt to ping the server in the parent account's network.
  • As expected, the traffic is now configured to travel in both directions between the networks. So in order to create bi-directional network communication, create two firewall policies overall.

Customer Support

Can’t find what you need?
Give us a call.


M – F, 8am to 6pm