Securing a cloud network starts with knowing how traffic moves through it. Most flows fall into four categories: east-west (lateral) traffic between workloads, ingress from outside, egress to the internet and SaaS, and traffic to cloud service endpoints. Each has a different risk profile and a different set of controls.
East-west (lateral) flows
East-west traffic is communication between resources inside the same network or subnet — virtual machines, containers, and microservices talking to each other. It never crosses the perimeter, which is exactly why traditional perimeter security misses it.
Why east-west control matters
Lateral movement is how a single compromised workload becomes a breach. Once an attacker is on one host, they pivot toward the valuable targets — databases, secret stores, identity services. Controlling east-west traffic isolates the initial foothold and contains the blast radius before it spreads.
How to control it
Network virtual appliances from vendors like Fortinet and Palo Alto can inspect lateral traffic, at the cost of complexity and licensing. Enforza offers a lighter path: centralised policy and identity-aware filtering that segments workloads from each other without the overhead of a full enterprise platform.
Ingress flows
Ingress is traffic entering the cloud from outside — through firewalls, load balancers, or public IPs. This north-south traffic needs protection against denial-of-service, malware, and unauthorised access.
How to control it
- Network Security Groups (NSGs): granular allow/deny at the subnet or VM level, filtering on source, protocol, and port.
- Web Application Firewalls (WAFs): defence against web attacks such as SQL injection and cross-site scripting.
- A network firewall: stateful inspection and threat hardening on the traffic entering your networks.
Egress flows
Egress is outbound traffic to the internet, SaaS, and external services. Monitoring it matters because egress is the path data exfiltration takes — controlling it both prevents unauthorised transfers and trims bandwidth cost.
How to control it
- Firewall rules: restrict outbound connections by destination IP, domain, or protocol.
- Network ACLs: stateless subnet-level filters for coarse control.
- Egress FQDN filtering: restrict outbound traffic to known, trusted hostnames — the most precise option for cloud workloads with predictable destinations. See Egress FQDN Filtering in the Cloud.
Traffic to service endpoints and SaaS
These flows connect your infrastructure to cloud provider services and third-party SaaS. Providers offer private paths — AWS PrivateLink, Azure Private Link / service endpoints — that keep this traffic off the public internet.
How to manage it
- Route tables: direct traffic to the right endpoints.
- Private link services: secure connectivity without public exposure.
- NSGs: ensure only authorised traffic reaches the endpoint.
For provider services, filtering on the provider’s own published IP ranges is often cleaner than hostname rules — see Azure Service Tags vs AWS IP Ranges.
Getting the balance right
Traffic controls prevent unauthorised access and data loss and keep performance predictable — but overly tight rules break legitimate traffic, and loose ones leave gaps. The goal is precise, identity-aware policy that you can manage in one place rather than a patchwork of per-flow tools.
One place for every flow
Enforza handles all four flows — east-west, ingress, egress, and service-endpoint traffic — from a single console, across AWS, Azure and GCP, with identity-aware hostname (SNI/FQDN) rules and secure NAT, on flat per-firewall pricing with no per-GB data-processing fee. It is the control you actually need for cloud traffic without the cloud-native firewall’s metered bill or a mega-NGFW’s bloat. See the features page for the full capability set.
