Egress & ingress proxies
Data.gov uses ingress and egress proxies for a variety of reasons; traffic control, security compliance, etc.
TDB
Egress proxying is achieved by Caddy servers running in each Cloud Foundry egress space (e.g., development-egress) named egress-proxy-gsa-datagov-<SPACE>. See GSA/cg-egress-proxy for implementation details.
In short, however, application egress is routed by a network policy to an egress proxy app. Then, egress is either allowed or denied by domain in the ACL files, with all other domains being DENY ALL. Public egress is restricted by security group (though, at the time of writing, this is not enabled).
TDB
There is an issue somewhere in the generation of new certs that causes the certs to expire. The certs are valid on a fresh egress restart, so to get around this issue there is a restart Github Action (code) that should run every night to restart the egress proxy apps. Note also that workflow_dispatch is set on the action which allows the restart to be run manually using the Run Workflow button:
TDB