Ingress vs. Egress in the cloud

The definitions of Egress and Ingress for the cloud


What is egress?

Egress in the world of networking implies traffic that exits an entity or a network boundary. While in service provider types of networks this is pretty clear, in the case of a datacenter or cloud it is slightly different.

In the cloud, Egress still means traffic that’s leaving from inside the private network out to the public internet, but Ingress means something slightly different. To be clear private networks here refers to resources inside the network boundary of a data center or cloud environment and its IP space is completely under the control of an entity who operates it.

Since traffic often is translated using NAT in and out of a private network like the cloud, a response back from a public endpoint to a request that was initiated inside the private network is not considered Ingress. If a request is made from the private network out to a public IP, the public server/endpoint responds back to that request using a port number that was defined in the request, and firewall allows that connection since its aware of an initiated session based on that port number. See picture below for reference.



What is ingress?

With Egress out of the way, let’s define Ingress. Ingress is traffic that enters the boundary of a network. As you might be guessing by now, Ingress more specifically refers to unsolicited traffic sent from an address in public internet to the private network – it is not a response to a request initiated by an inside system. In this case, firewalls are designed to decline this request unless there are specific policy and configuration that allows ingress connections. See picture below for reference.

learn more