The Containment Era is here. →Explore

aviatrix logoAviatrix

Overview

Threat intelligence hub

Command Center

Visualize blast radius & threats

Under Active Attack

Back to Learn Center

North-South vs East-West Traffic: Why the Dangerous Traffic Is the One You're Not Watching

⚡ TL;DR

North-south traffic crosses the perimeter: external users reaching internal services, or workloads reaching external APIs. East-west traffic stays inside: workload to workload, service to service. Traditional security focuses almost entirely on north-south traffic. Modern attackers operate almost entirely in east-west traffic. Lateral movement, blast radius, and The Cascade all live in the east-west plane.

What is North-South vs East-West Traffic?

The terms “north-south” and “east-west” come from how network diagrams are traditionally drawn: north-south is traffic flowing up and down (in and out of the network), east-west is traffic flowing side to side (between services inside it). That visual turns out to be a useful shorthand for understanding where your security investment is going and where it isn't. Most organizations have significant north-south controls: perimeter firewalls, DDoS protection, web application firewalls, ingress filtering. Most have much weaker east-west controls. And east-west is where 70–80% of cloud traffic actually flows and where lateral movement lives.

What is North-South Traffic?

North-south traffic describes any flow that crosses the perimeter boundary of your environment. This includes inbound traffic from external users reaching internal applications, outbound traffic from internal workloads reaching external APIs or the internet, and traffic crossing cloud region or account boundaries.

North-south traffic has always been the primary focus of network security controls: firewalls at the perimeter inspect and filter inbound connections; egress controls limit what internal workloads can reach externally; web application firewalls protect public-facing services. These controls are mature, well-understood, and often highly effective at what they do.

The limitation of north-south security is that it assumes the threat originates outside the environment and ends when the perimeter is crossed. The Cascade attack of March 2026 demonstrated that the most destructive phase of a modern attack begins after perimeter crossing: in the east-west plane.

What is East-West Traffic?

East-west traffic describes any flow between workloads inside the environment: service-to-service, microservice-to-microservice, database replication, API calls between internal services, container-to-container communication in the same cluster.

In modern cloud native environments, east-west traffic vastly exceeds north-south traffic in volume. A single user request to a web application may trigger dozens of internal service-to-service calls before a response is generated. Microservice architectures are fundamentally east-west communication systems that happen to have a north-south entry and exit point.

East-west traffic is also where attackers operate after initial access. Lateral movement, the process of moving from an initially compromised workload to higher-value targets is entirely an east-west phenomenon. The Cascade attack's extraordinary impact came from attackers' ability to traverse east-west traffic freely once inside.

Why East-West Security Is the Defining Challenge of the Containment Era

Detection-based security architectures (2010-2026) were optimised for north-south threats. Their east-west controls were often an afterthought: implicit trust within the network perimeter, with detection-based tools attempting to identify anomalous lateral movement after the fact.

The Containment Era begins from the premise that east-west traffic must be explicitly governed, not implicitly trusted. Communication Governance, defining what each workload is permitted to communicate with, is an east-west control. Default-deny between workloads is an east-west policy. SmartGroups define east-west permission boundaries.

Chokepoint Security, routing all traffic through centralized inspection gateways, fails for east-west traffic at cloud scale because the traffic volume and connection frequency are orders of magnitude higher than north-south traffic. You cannot route all microservice communication through a central appliance without creating the performance bottleneck that defeats adoption.

Measuring East-West Exposure With WAPA

The Aviatrix Workload Attack Path Assessment is specifically designed to map east-west exposure. It identifies every workload-to-workload communication path in your environment, maps them against the intended permission set, and identifies the paths that should not exist, either because they represent unnecessary permissions or because they create lateral movement vectors to critical systems.

The Workload Attack Path Assessment produces a blast radius map: for each workload in your environment, it shows how many other workloads could be reached if that workload were compromised. Environments with unrestricted east-west communication typically show blast radii that span entire cloud accounts. Environments with Communication Governance enforced show blast radii of one: the compromised workload itself.

Run your free Workload Attack Path Assessment, to see your actual east-west exposure. 

Frequently Asked Questions

Q: What is the difference between north-south and east-west traffic?

North-south traffic crosses the environment's perimeter boundary: external users reaching internal services, or workloads reaching external destinations. East-west traffic flows between workloads inside the environment without crossing the perimeter. In cloud native architectures, east-west traffic typically accounts for the majority of total network traffic.

Q: Why do attackers focus on east-west traffic?

After initial access, attackers need to reach higher-value targets, databases, credential stores, management planes that are rarely the first workload compromised. Lateral movement to reach those targets is accomplished through east-west traffic. Environments with unrestricted east-west communication allow attackers to traverse from any compromised workload to virtually any other.

Q: What controls can secure east-west traffic?

The Containment Era model uses three primary controls: Communication Governance (defining what each workload is permitted to communicate with), distributed cloud firewall enforcement (enforcing those permissions at every workload boundary), and workload identity (ensuring that permissions are tied to verified workload identity rather than IP address). All three work together through the Aviatrix Containment Platform.

Q: Is east-west traffic visible to traditional security tools?

Partially. Traditional network monitoring tools can capture east-west traffic flows, but they typically cannot enforce policy at the workload level. They observe east-west traffic after the fact, detecting anomalous patterns rather than preventing unauthorised connections before they form. The Containment Era model requires prevention, not just detection.

Q: How does a Zero Trust architecture treat east-west traffic?

Zero Trust architecture applies the same verification principles to east-west traffic as to north-south: every connection is verified against policy, regardless of whether both endpoints are inside the network. Zero trust explicitly rejects the concept of an “internal trusted network”, the east-west plane is subject to the same controls as the north-south perimeter.

col-two-orange-grow
Related Topics

Become the cloud networking hero of your business.

See how Aviatrix can increase security and resiliency while minimizing cost, skills gap, and deployment time.

Get a DemoGet ACE CertifiedSee Our Solutions
Cta pattren Image