East-west traffic is network communication between internal systems, services, or workloads rather than traffic crossing into or out of the environment.
East-west traffic is network communication between internal systems, services, or workloads. In plain language, it describes server-to-server or workload-to-workload traffic inside an environment rather than traffic entering from or leaving to the outside world.
East-west traffic matters because attackers often move laterally after their first foothold. If internal traffic is wide open and poorly monitored, a compromise can spread more easily across workloads, segments, services, or accounts.
It also matters because many modern cloud and container environments have far more internal service-to-service communication than older perimeter-focused models expected. Internal traffic is now often the dominant traffic pattern in distributed systems.
East-west traffic appears in data centers, Virtual Private Cloud networks, container clusters, microservices environments, and Microsegmentation programs. Security teams examine it when they are trying to reduce broad internal trust, detect lateral movement, or understand which systems really need to communicate.
It connects directly to Network Segmentation, Microsegmentation, Lateral Movement, Intrusion Detection System, Network Telemetry, and Zero Trust Network Access.
It is a key concept whenever defenders need visibility into internal trust boundaries rather than only internet-facing traffic.
A compromised application server begins making unexpected connections to neighboring database and file servers inside the same environment. That abnormal east-west traffic becomes a signal that lateral movement may be underway even though no suspicious inbound internet connection is visible at that moment.
East-west traffic is not the same as north-south traffic. North-south traffic refers to communication that crosses the environment boundary, such as internet-to-app or app-to-internet connections.
It is also not automatically suspicious. Internal traffic is normal in many architectures, but it becomes risky when it is broader than necessary, weakly monitored, or poorly segmented.
It is also a mistake to think “internal” means “trusted.” In many environments the most important defensive work happens after an attacker or malicious process is already inside.