Still amazes me how oblivious/stupid some companies are
They believing NAT provides security and allow unfettered outbound routing. It's a standard practise in a lot of "Tech" companies that should know better! A lot of breaches occur because an intruder manages to open a reverse shell, rummage around, then exfiltrate the juicy data.
Security Recipe 101 - Don't route 0.0.0.0/0, Mix in some whitelists for IP and Ports, apply a dash of whitelisting to both inbound and outbound traffic, it makes that breach/exfiltration 100x more difficult. slap in a pinch of IPS and with a drop of Deep Packet Inspection, then it gets 1000x more potent!
It's not rocket science.. but it gets ignored, especially by companies that promote "Cloud" first - I can name at least 2 FTSE 100 companies that do this!