CoursesAdvanced cloud securityNetwork & data-plane security

Egress control, DNS & firewalls

NAT, egress proxies, DNS filtering, and exfiltration defense.

Advanced35 min · lesson 5 of 15

Almost everyone filters inbound traffic and leaves outbound wide open. But exfiltration and command-and-control both leave through egress: a compromised workload with unrestricted outbound can stream your data anywhere and pull down the next stage of an attack. Controlling what can leave, and logging the rest, turns a silent breach into a blocked, alerting event.

Why egress is the neglected half

A default-open outbound policy assumes everything inside the perimeter is trustworthy — the exact assumption modern attacks break. Constrain egress to the specific destinations a workload legitimately needs (a package mirror, an internal API, a payment provider) and deny the rest. For most workloads the legitimate egress list is short and stable, which makes an allowlist practical rather than painful, and makes any attempt to reach an unlisted host an immediate red flag.

egress allowlist through a proxy
# Squid egress proxy: allow only approved destinations, deny + log the rest.
acl approved dstdomain .github.com .amazonaws.com registry.internal
http_access allow approved
http_access deny all # everything else is refused and logged
# Workloads have NO direct route out; the only path is the proxy:
# HTTPS_PROXY=http://egress-proxy.internal:3128
# A compromised container trying to reach evil.example is blocked at the proxy
# and the attempt appears in the proxy log as a denied request.

DNS filtering and exfil defense

DNS is both an egress control point and an exfiltration channel. Filtering resolution against threat intelligence blocks known C2 and phishing domains before a connection is even attempted, and logging every lookup gives you a high-value record for hunting. Watch for the telltale signs of DNS tunnelling — long, high-entropy subdomains and abnormal query volume to one domain — which is how data leaves networks that block ordinary egress.

Layered egress controls
restrict the path
no default route out
private subnets, no IGW
egress proxy allowlist
only approved destinations
inspect names
DNS firewall
block known-bad, log every lookup
tunnel detection
entropy + volume anomalies
record everything
flow logs
who talked to what, after the fact
Each layer is cheap alone and compounding together: the proxy blocks, DNS filtering catches names, flow logs and query logs let you reconstruct intent.
Unrestricted egress is free C2
If a compromised pod can open an arbitrary outbound connection, the attacker already has their exfiltration and command channel — no further privilege needed. Default-deny egress is one of the highest-leverage controls you can add, and one of the most commonly missing.