Advertisement
Interview Question
How do you design outbound (egress) controls for workloads in private subnets without public IPs while maintaining least privilege?
Key Points to Cover
- Use NAT gateways or egress proxies with allowlists
- Restrict destinations by FQDN/IP and ports; enforce TLS inspection if required
- Centralize egress through firewall appliances or service endpoints
- Audit with flow logs; detect anomalies and shadow IT
Evaluation Rubric
Chooses appropriate egress patterns35% weight
Imposes least-privilege outbound access25% weight
Adds logging/alerting for egress20% weight
Avoids single points and scales throughput20% weight
Hints
- 💡Prefer private service endpoints for cloud APIs.
Common Pitfalls to Avoid
- ⚠️Overly permissive NAT Gateway configurations, allowing all outbound traffic.
- ⚠️Using default proxy settings without explicit allowlisting.
- ⚠️Failing to restrict by FQDN and relying solely on IP addresses, which can be dynamic.
- ⚠️Not enforcing port restrictions, allowing unnecessary ports to be open.
- ⚠️Neglecting to monitor egress logs, missing potential security incidents.
Potential Follow-up Questions
- ❓How to rotate proxy certificates?
- ❓How do you handle package mirrors securely?
Advertisement
Related Questions
Questions that share similar topics with this one
SSL vs TLS
Beginner📞 Phone Screen•2 min•Phone
SSH Keys vs Password Authentication
Beginner📞 Phone Screen•1 min•Phone
Secrets Management in CI/CD
Intermediate📞 Phone Screen•2 min•Phone
Linux File Permissions Basics
Beginner📞 Phone Screen•2 min•Phone
Cloud Shared Responsibility Model
Intermediate📞 Phone Screen•2 min•Phone