Security between microservices

Question

I have two microservices, for example, A and B. The microservice B has the rest enpoint that must be accessible only from the microservice A. How can I limit access between microservices? What is the best practice if at all possible?

I'm using spring cloud security (oauth2, jwt).

I would recommend not allowing microservices to use synchronous communication at all (use messaging and pub/sub instead). — Sean Farmar, Jun 17 '16 at 13:03
I don't think this question has anything to do with synchronicity? Synchronous calls are also perfectly valid in micro services e.g payments — ExoticChimp, Jul 22 '16 at 05:03

ExoticChimp · Accepted Answer · 2016-07-22T05:09:54.463

3

This is a networking issue. Simply restrict access to micro service B at a network level. This can be easily done if using Docker for example. You would just not publicly expose the relevant port for micro service B but expose it on a specific network then have micro service join that network.

You could use public/private keys if you wanted to add extra security. Alternatively, it would be simpler to generate a JWT for application A and validate it in micro service B but as you add more micro services this has more management overhead.

Alternatively, you should look into an API Gateway which can handle API access for you

edited Jul 22 '16 at 05:09

answered Jul 22 '16 at 05:02

ExoticChimp

1,884
1
19
37

Is this possible in something like Kubernetes/Swarm?(I am planning to use those to build out my architecture) For example, if I want to limit a service `A` to only be accessed by services `C` and `E` and not `B` and `D`, is it possible to do something like that? – Divij Sehgal Jan 07 '18 at 19:10
I think that would automatically secure my Internal Network, isn't it? And since I everything is behind an API Gateway, external security is handled automatically – Divij Sehgal Jan 07 '18 at 19:11
someone once told me that relying on network security for application security is just "security through obscurity" and I think they're right – MetaGuru Apr 24 '18 at 15:15
@BigOmega can you elaborate on what your comment means to make it constructive? It’s not security through obscurity really, but you’re right if the suggestion is that application security should not be replaced by network level security - both are essential (and not limited to microservices) – ExoticChimp Apr 24 '18 at 15:27
@ExoticChimp, as for the suggestion to solve this issue using the API GW, normally API GWs are used for north-south requests, and less for east-west, so the communication between two microservices in the same app won't necessarily flow through the API GW. – omer Feb 28 '19 at 14:20

score 0 · Answer 2 · answered Jun 17 '16 at 08:24

Have another microservice that's not so much responsible for a business problem, but for a non-functional business problem : security.

This microservice is logical (as all microservices should be logically responsible for a business problem) and isn't deployed on its own, but rather deployed with other microservices. Then build a proper API that both microservice A and B are aware of and are mandatory to execute, before accepting any calls or executing calls.

Where other microservices should be part of some business related boundary (bounded context, if you will) the security microservice is within the boundary of a non-functional requirement. You could call this IT/Ops or Devops or something.

Security between microservices

2 Answers2