What Is East-West Traffic in Cloud Security?

TL;DR

• East-West traffic is network communication between workloads inside a cloud environment: microservice to microservice, container to container.

• It accounts for 70–80% of all cloud network traffic, but most cloud security focuses on north-south (perimeter) traffic.

• East-West traffic is the primary attack vector for lateral movement: open east-west paths let attackers move from workload to workload after a breach.

• Communication Governance secures the east-west layer by defining and enforcing which workloads can communicate with which others.

• Most cloud environments have no meaningful east-west policy enforcement, creating unlimited blast radius from any breach.

Definition 

Ask your security team what percentage of your cloud network traffic your current controls can actually see and enforce policy on. For most organizations, the honest answer is somewhere around 20–30%. The other 70–80% is east-west traffic, workload-to-workload communication inside your cloud environment, and it's the traffic that lateral movement exploits. East-West traffic is network communication that flows between workloads inside a cloud environment, microservice to microservice, container to container, VM to VM, as opposed to North-South traffic, which flows between external users and internal services. East-West traffic is also the primary attack vector for lateral movement: once an attacker breaches one workload, open east-west paths allow them to reach adjacent workloads without ever touching the perimeter controls where most security investment sits. 

East-West vs. North-South Traffic

North-South traffic flows across the network boundary: inbound requests from external users to internal services, and outbound responses back. This is the traffic that perimeter firewalls, WAFs, and VPNs are designed to control. Most cloud security investment has historically focused here.

East-West traffic flows within the network boundary between internal workloads, microservices, databases, and APIs. This traffic never crosses a perimeter control. In most cloud environments, east-west traffic is governed only by broad security group rules that permit most workload-to-workload communication within the same VPC or environment.

The security implication: an attacker who breaches one workload, bypassing perimeter controls through a supply chain attack, credential theft, or vulnerable dependency, can move laterally through open east-west paths without encountering any security controls.

Why East-West Traffic Is Your Biggest Security Risk

The asymmetry between security investment and traffic distribution creates a critical vulnerability. 80% of cloud traffic moves east-west. Most security controls only see north-south traffic. The 80% is effectively ungoverned.

In the Detection Era, this gap was addressed by detection tooling: SIEM and XDR tools that monitor east-west traffic for anomalous patterns. But The Cascade demonstrated the structural limitation: east-west lateral movement can happen faster than detection-and-response cycles operate.

The Containment Era's answer is Communication Governance: govern the 80% with explicit policy rather than trying to detect anomalies in ungoverned traffic.

How to Secure East-West Traffic: Communication Governance

• Define east-west policies by workload identity (tags, labels, service accounts), not IP addresses that change constantly

• Enable default-deny for all east-west communication not explicitly permitted

• Enforce policies at the workload level through distributed cloud firewall, not at centralized chokepoints

• Apply default-deny egress to control outbound connections from workloads

• Run a Workload Attack Path Assessment (WAPA) to map all existing east-west paths and prioritize which to close

• Review and update east-west policies continuously as workloads change

Frequently Asked Questions 

Q: What is East-West traffic?

East-West traffic is network communication between workloads inside a cloud environment: microservice to microservice, container to container, VM to VM. It flows laterally within the network boundary, unlike North-South traffic which flows between external users and internal services across the perimeter.

Q: Why is East-West traffic a security risk?

70–80% of cloud traffic is East-West, and most of it flows without meaningful policy enforcement. Perimeter security controls don't see or govern it. Attackers who breach one workload can move laterally through open East-West paths to any other workload the initial breach can communicate with. This unlimited blast radius is the central vulnerability of the Detection Era.

Q: What is the difference between East-West and North-South traffic?

North-South traffic flows between external users and internal services across the network boundary. East-West traffic flows within the network boundary between internal workloads. Perimeter security governs North-South. Communication Governance governs East-West. Read more.

Q: How do you enforce security policy on East-West traffic?

East-West policy requires workload-level enforcement, not centralized gateway inspection. Aviatrix SmartGroups define identity-based policies determining exactly which workloads can communicate with which others. Only explicitly permitted East-West paths are allowed; all others are blocked by default-deny.

Q: How does East-West traffic relate to lateral movement?

Open East-West paths are the mechanism of lateral movement. When an attacker compromises a workload, they use its existing East-West connections to move to adjacent workloads. The more open East-West paths exist, the larger the blast radius of any breach. Communication Governance eliminates unauthorized East-West paths, eliminating the lateral movement they enable.