IAAS (the form of Cloud computing that has "virtualized instances") often comes with a loss of control over the network layer and therefore reduced ability to enforce egress controls using network devices.
IAAS providers generally give everything direct egress to the Internet. This is baked into "marketplace" templates and GUI defaults. As such, it is a constant struggle to ensure that routing keeps the egress flowing through our firewall without totally hosing up the automated deployments.
On premises we eliminate this risk by ensuring that the physical cabling only permits "Internet egress" via our firewalls. And we use color coded ethernet cables (red == dirty network; orange == DMZ; blue == inside company) to make it really easy to audit that the config remains as expected because each device only gets one cable "color" unless it is a firewall.
As one moves "up the scale" to SAAS, you end up losing the ability to install specialized security tools, instead relying on those provided by the supplier.
