What do Egress and Ingress Mean in the Cloud?


What do Egress and Ingress mean in the cloud?

Egress in the world of networking implies traffic that exits an entity or a network boundary, while Ingress is traffic that enters the boundary of a network. While in service provider types of the network this is pretty clear, in the case of datacenter or cloud it is slightly different. In the cloud, Egress still means traffic that’s leaving from inside the private network out to the public internet, but Ingress means something slightly different. To be clear private networks here refers to resources inside the network boundary of a data center or cloud environment and its IP space is completely under the control of an entity who operates it.

Since traffic often is translated using NAT in and out of a private network like the cloud, a response back from a public endpoint to a request that was initiated inside the private network is not considered Ingress. If a request is made from the private network out to a public IP, the public server/endpoint responds back to that request using a port number that was defined in the request, and firewall allows that connection since its aware of an initiated session based on that port number. See picture below for reference.


With Egress out of the way, let’s define Ingress. As you might be guessing by now, Ingress refers to unsolicited traffic sent from an address in public internet to the private network – it is not a response to a request initiated by an inside system. In this case, firewalls are designed to decline this request unless there are specific policy and configuration that allows ingress connections. See picture below for reference.