1

So, let's say I have a standard set up for application, that is:
- split into micro services
- and is running in a cluster (kubernetes or docker swarm, I guess specific implementation does not matter, just the main idea),
- there's a API gateway, that faces internet and authenticates all the incoming external requests.

So far, so good, now what to do with communication between services?

Do I need to encrypt communication between micro services in same cluster, do I need to perform authentication/authorization between them or I should trust cluster's networking and doing this would be not needed redundancy?

Giedrius
  • 1,304
  • 1
  • 10
  • 15
  • Are you running them on a contested network? – candied_orange May 23 '18 at 12:15
  • They will be running on AWS. – Giedrius May 23 '18 at 13:36
  • Your system is as secure as the weakest link in your system. So if your goal is to really secure your system you need to check many factors of possible vulnerabilities. If you will encrypt traffic in the colocated cluster and e.g. share your password to AWS account then you probably miss a point. It is also worth to mention that microservice should also provide its identity (e.g. by certificate) so that you are sure you talk to the valid service. – Tomasz Maciejewski May 23 '18 at 14:10

1 Answers1

5

It depends, what are they actually doing?

If you’re handling health or banking records, you should probably secure the communications since there is usually a legal requirement to do so.

If you’re pushing around cat videos, maybe not.

But one thing to consider is that having the security in place makes it way easier to handle georedundancy and other sort of disaster recovery scenarios which will force your microservices to be not colocated.

Telastyn
  • 108,850
  • 29
  • 239
  • 365