An egress gateway is a cloud-native architectural pattern that provides an exit point for traffic leaving a cluster or service mesh. Egress gateways are common within Kubernetes environments — making it easier to enforce security, routing, and IP address handling for ephemeral services that are always changing. 

Egress gateways also offer easier integration with network firewalls and other security layers to help organizations meet regulatory compliance requirements. Many regulations require sensitive egress traffic to travel through collections of dedicated nodes which live separately from your primary service nodes. 

Overall, egress gateways help provide for secure, logical traffic flows externally from your environment while enabling distributed services to communicate and exchange data. This helps power popular solutions such as multi-cloud service meshes while offering controlled access to the internet. 

It's worth noting that egress and ingress traffic differs fundamentally from inbound and outbound traffic. While inbound/outbound refers more closely to destination servers and hosts for network traffic, egress/ingress instead signify pathways along which packets can travel while approaching their ultimate destination. A given host and server might be Points A and B on a journey, respectively, whereas egress might represent a road passing through an international border crossing.

How do egress gateways work?

Egress gateways typically function by reserving a small block of static and public IP addresses, then configuring external services (sometimes called endpoints) to only accept traffic from those allowlisted source IPs. This ensures that only trusted traffic safely leaves your internal cluster without exhausting too many IPv4 addresses — which are all currently spoken for globally. These types of addresses aren't readily available and thus expensive.

While some teams may earmark their existing private IPv4 addresses for egress, other teams (and products) have since favored IPv6 addresses based on availability. In any case, these static IPs bring predictability and simplicity to egress routing. Keeping track of dynamic IP addresses would be quite challenging. 

Egress gives you granular control over how traffic originating from each K8s pod flows through your gateway. It supports network isolation, workload routing rules, namespaces, and labels to help make external routing much easier. These traffic flows are viewable within a centralized monitoring and management platform (if applicable), plus activity logs, to give teams visibility over everything. 

Egress gateways support a number of use cases, including the following: 

  • Applying access control policies for all egress traffic

  • Unlocking egress for secure SSL/TLS traffic

  • Applying Kubernetes network policies

  • Integrating K8s with external firewalls

  • End-to-end egress traffic tracing

  • Shared and per-namespace egress routing

  • Per-deployment egress routing

  • Health checking and network failover 

Egress gateways can facilitate many networking functions across availability zones. They're also pretty flexible. You don't need an existing service mesh to operate an egress gateway, and you can also route traffic using a number of internet protocols. Egress isn't reserved solely for HTTP/S traffic, but also for SSH and other custom internet protocols. 

Explore further: What is the Kubernetes Gateway API?

What are the benefits of egress gateways?

Well-integrated egress gateways can offer app teams plenty of advantages over complex routing implementations: 

  • They enable consolidated routing, which cuts complexity and cost.

  • They're available in both paid and open-source flavors, catering to individual app developers, smaller teams, and large enterprises alike.

  • They give organizations a clear way to separate and tightly control outbound egress traffic. 

  • They work natively with Kubernetes. 

  • They may offer centralized monitoring and management over some of your most critical service traffic. 

  • They're generally easier to secure and enforce security policies through, and therefore boost compliance. 

  • They support deeper network visibility in real-time while paving the way for easier auditing later on.

You’ve mastered one topic, but why stop there?

Our blog delivers the expert insights, industry analysis, and helpful tips you need to build resilient, high-performance services.

By clicking "Get new posts first" above, you confirm your agreement for HAProxy to store and processes your personal data in accordance with its updated Privacy Policy, which we encourage you to review.

Thank you! Your submission was successful.

Does HAProxy offer an egress gateway?

Yes! HAProxy One — the world's fastest application delivery and security platform — delivers built-in egress gateway functionality via our Universal Mesh solution. Universal Mesh unifies your multi-cloud, on-prem, and legacy applications with a single architectural pattern that converges ingress, egress, and service mesh into one. Deploy strategic gateways at the boundaries of your K8s clusters, VPCs, and on-prem datacenters to form a powerful, performant edge. Users get the same HAProxy One features both at the inner and outer edge.

Want to see how HAProxy handles egress across complex environments? Request a demo of HAProxy One to test egress gateway routing in your own environment.