Get fresh insights, pro tips, and thought starters–only the best of posts for you.
North-south traffic is network communication that moves between an internal network and external systems such as the internet, cloud services, remote users, or third-party networks. For teams asking what is North-south traffic, the term helps distinguish external-facing communication from east-west traffic, which stays inside the network. Security teams monitor north-south traffic to inspect inbound access, outbound connections, data movement, and potential threat activity crossing the network boundary.
It often passes through internet gateways, firewalls, proxies, VPNs, cloud access points, and edge security tools. This makes it a major focus for perimeter security and external threat monitoring.
Organizations monitor this traffic to:
These checks help teams understand how internal systems interact with external networks.
It flows across the boundary between trusted internal environments and external destinations. It can include users accessing cloud apps, servers receiving internet requests, or endpoints connecting to third-party services.
A typical flow includes:
This helps organizations control traffic that enters or leaves the enterprise environment.
North-south and east-west traffic describe different communication directions. Security teams use this distinction to understand where visibility and controls are needed.
| Traffic type | What it represents |
|---|---|
| North-south traffic | Communication between internal systems and external networks |
| East-west traffic | Communication between systems inside the same environment |
| Inbound traffic | External users or systems accessing internal resources |
| Outbound traffic | Internal users or systems connecting to external destinations |
| Lateral traffic | Internal movement between workloads, endpoints, or servers |
This distinction helps teams separate perimeter-focused monitoring from internal movement analysis.
External-facing communication can expose organizations to attacks, misconfigurations, and data leakage. Attackers may use these paths for initial access, command-and-control communication, or outbound data transfer.
Common risks include:
Security teams often combine firewall logs, proxy data, DNS records, endpoint context, and threat intelligence to investigate these risks.
North-south traffic analysis can show that a device contacted an external destination, but endpoint context helps explain what happened on the device itself. Hexnode can support this investigation layer through managed device visibility, compliance status checks, security policy enforcement, endpoint activity context, and Hexnode XDR workflows when teams need device-level evidence during security investigations.
No. It usually includes internet traffic, but it can also include communication with cloud services, remote users, partner networks, and external data centers.
Attackers may use it to reach exposed services, communicate with command-and-control infrastructure, download tools, or move stolen data out of the environment.
Yes. It usually relies on perimeter controls such as firewalls, proxies, gateways, and secure access tools, while east-west traffic requires internal segmentation and lateral movement monitoring.