Ingress vs Egress Trafficby Iwan Price-Evans on Networking • July 11, 2022
Ingress and egress refer to them as entries and exits. They are opposites. Ingress is the act of entering and egress is the act of exiting. These terms are also used to describe network traffic flow.
What is data Egress?
So what does egress mean when talking about cloud technology? In simple terms, egress refers to data leaving one network and transferring to an external network location. Egress traffic is outbound traffic being shared externally.
It's important to note that egress also refers to data shared to an external network via physical devices such as USB drives or external hard drives. Egress is any situation where data exits an entity or network boundary.
In the cloud, egress refers to traffic that leaves a private network and transfers to the public internet. This occurs all the time in organizations via email, file uploads, or HTTP and FTP transfers. The term egress is often used to describe the volume of traffic leaving a network to external networks. It's commonly used by cloud service providers as a measurement of traffic volume.
Examples of egress scenarios within a cloud service environment:
- An API client within a service perimeter calls an operation where the resource is outside the network perimeter.
- A data storage client that copies data from one data store (bucket) which is inside the network to another data store (bucket) that is outside the perimeter.
Data Egress Threats
The process of data egress has intrinsic threats. Data transferring outside of a private network to the public internet is susceptible to attack. Malicious actors are constantly on the lookout for unprotected data, snooping on data in transit, intercepting, and stealing data.
Criminals will use any number of techniques to achieve this such as spreading malware or disguising network traffic. This interception or theft is often referred to as data exfiltration.
Therefore, with the increased use of microservice architecture, it's becoming more important for organizations to have advanced traffic management and security tools. Intelligent traffic management systems are becoming a necessary solution to managing complex container and cluster environments.
What is Egress Filtering?
Organizations can perform monitoring to mitigate potential threats from egress traffic and identify anomalies and malicious activity. Egress filtering can be used to identify these threats.
Egress filtering allows the organization to create rules for egress traffic management. It enables them to block the transfer of sensitive data outside the internal network and verify or block high-volume data transfers if necessary.
What is Data Ingress?
As you might expect, ingress refers to data traffic that enters a private network from the public internet or another external location.
In the cloud, ingress is unfiltered traffic sent from the public internet. Note that this is traffic transferred to the private network, not response data from requests originating from the private network - ingress is not response traffic.
Examples of ingress scenarios within a cloud service environment:
- An API client located outside the private network that accesses resources within the private network perimeter.
- A data storage client that's outside the private network reading data from a cloud storage bucket within the private network perimeter.
What are Ingress Controllers?
While egress filtering is needed to ensure security, it's important to manage ingress traffic too.
Ingress traffic controllers are a solution to managing incoming data traffic. Traffic control, also called traffic routing or traffic shaping refers to the control of where traffic goes and how it gets there.
Ingress controllers can:
- Accept traffic from services outside the private network such as clusters.
- Filter and format the data and distribute it within the internal network.
- Perform intelligent routing, particularly important when using load balancing.
- Perform traffic splitting for scenarios such as A/B testing or canary deployments.
- Be used as a circuit-breaker avoiding cascading failures where one service takes out another.
- Protect services from request overload.
Examples of Ingress Controllers
Examples of ingress controllers are load balancers and Kubernetes ingress controllers.
A load balancer sits between the ingress and the backend servers and functions as a reverse proxy, distributing ingress traffic between two or more backend resources.
Kubernetes Ingress Controllers
A Kubernetes ingress controller is a Kubernetes component defined by the CNCF, and specifically manages ingress traffic to Kubernetes clusters and containers. Examples of Kubernetes Ingress Controllers include: