# Zero-Trust Egress and Private Connectivity Patterns > **Intro:** Many product incidents become severe because workloads can talk to too many destinations. Egress and private connectivity decisions shape how easily an attacker can exfiltrate data, reach metadata services, or pivot into control planes. > > **What this page includes** > > * practical egress-control patterns > * how to think about private connectivity and service endpoints > * trade-offs for proxies, service meshes, and policy engines > * how to scope exceptions without hollowing out the design ## Egress-control patterns ### Pattern 1: explicit egress allow-lists Good for regulated or high-sensitivity workloads. Requires operational maturity because service dependencies change. ### Pattern 2: egress proxy plus policy Useful when teams need central visibility and domain-level control. Works well when paired with workload identity and request metadata. ### Pattern 3: segmented environments with private service endpoints Useful for reducing public-internet exposure to data stores, registries, and control APIs. ## Design rules * block direct metadata access where the platform allows it; * separate package download paths from ordinary app traffic; * treat registry, secret manager, and control-plane endpoints as privileged destinations; * make exceptions time-bound and reviewable. ## Private connectivity ideas * use private endpoints or service networking for data stores and secret systems; * keep admin planes reachable only from stronger identity contexts or dedicated networks; * prefer short-lived, identity-aware access over broad network trust. ## Anti-patterns * broad “allow all egress” because the service might need it later; * the same subnet or security group for app traffic and operator access; * temporary egress exceptions that never expire; * assuming TLS alone solves where workloads are allowed to connect. ## Related pages * [AWS Networking and Policy Baseline](https://github.com/D3One/Product-Security-Gitbook/blob/main/08-infrastructure-and-cloud-security/aws-networking-and-policy-baseline.md) * [Network Policy Patterns](/cloud-kubernetes-and-infrastructure-security/index-1/network-policy-patterns.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/architecture-api-crypto-and-identity/index-1/zero-trust-egress-and-private-connectivity-patterns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.