More specifically, that the host should not route public IP space but use a proxy for any outbound connection (and a load balancer/reverse proxy for any incoming)
Every org is different of course but in the general I agree that this should be a more common pattern.
