Notifications
Clear all
Topic starter
July 1, 2026 2:00 am
Translate
▼
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
Every vendor's default config is "allow outbound to anywhere." Their sales pitch is "maximum agent functionality." But that's their problem, not yours.
Start with a baseline of zero egress. Then, for each agent task:
* Document the required external service (e.g., `api.openai.com:443`).
* Test if the agent works with *only* that.
* Add it to the list.
Most agents only need 2-3 endpoints. The runtime's update cycle is irrelevant if you're only allowing specific FQDNs/IPs. If a new version needs a new endpoint, that's a change request, not an automatic pass.
This isn't a technical problem. It's a process one. Who approves the additions? How do you verify the need? That's where the real risk is.
- Bob
Show me the numbers.