Creating Bi-Directional Firewall Policies

Updated by Richard Seroter on Oct 26, 2021
Article Code: kb/1021


Lumen Cloud Platform firewall policies make it simple to connect networks within a given account or across accounts. Firewall policies are inherently one-way, but it is very straightforward to craft a pair of policies that enable bi-directional communication. This walkthrough builds upon the servers, networks and policies built in the KB article entitled Connecting Data Center Networks Through Firewall Policies.


1. Confirm that you have two servers in two different networks.

  • In the KB article reference above, there was a parent account and a sub-account, and a network and server in each. The two servers operate on different networks.

2. Build a pair of policies that enable network communication in both directions.

  • Check the existing firewall policies by navigating to the Firewall menu item under the Network menu. From the previous KB article walkthrough, there should be a single firewall policy that makes it possible for the server in the parent account's network to ping a server in the sub-account's network.
  • This traffic is one-way only. To confirm this, attempt to ping the server in the parent account from the server in the sub-account. Notice that the request times out because network traffic is not allowed from the child network to the parent.
  • In order to allow servers in the sub-account's network to communicate with servers in the parent account's network, another firewall policy must be created.
  • Switch the Source Account and Destination Account values at the top of the page to reflect the sub-account as the source and parent account as the destination.
  • Click the add policy button and add a firewall policy that allows traffic from (restricted) IP addresses in the sub-account network to (restricted) IP addresses in the parent account network.
  • Save the firewall policy.

3. Confirm that the policies are working.

  • From the server in the sub-account's network, once again attempt to ping the server in the parent account's network.
  • As expected, the traffic is now configured to travel in both directions between the networks. So in order to create bi-directional network communication, create two firewall policies overall.