Chapter 3. Securing north/south traffic with an API gateway

Chapter 3 from Microservices Security in Action by Prabath Siriwardena and Nuwan Dias

In chapter 2, we discussed how to secure microservices at the edge with OAuth 2.0. The focus of chapter 2 was to get things started with a quite straightforward deployment. The samples there were far from production ready. Each microservice had to connect to an OAuth authorization server for token validation and decide which OAuth authorization server it wanted to trust. This is not a scalable model when you have hundreds of microservices and too much responsibility on the microservices developer. Please note that, when we say just OAuth, we in fact mean OAuth 2.0 – and if you are not familiar with OAuth, we recommend you go through the appendix D first.

3.1      The need for an API gateway in a microservices deployment

3.1.1  Decoupling security from the microservice

3.1.2  The inherent complexities of microservice deployments make them harder to consume

3.1.3  The rawness of the microservices does not make them ideal for external exposure

3.2      Security at the edge

3.2.1  Understanding the consumer landscape of your microservices

3.2.2  Delegating access

3.2.3  Why not basic authentication to secure APIs?

3.2.4  Why not Mutual TLS to secure APIs?

3.2.5  Why OAuth 2.0?

3.3      Setting up an API gateway with Zuul

3.3.1  Compiling and running the Order Processing microservice

3.3.2  Compiling and running the Zuul proxy

3.3.3  Enabling OAuth 2.0-based security at the Zuul gateway

3.4      Securing communication between Zuul and the microservice

3.4.1  Preventing access through the firewall

3.4.2  Securing the communication between the API gateway and microservices by using mutual TLS

3.5      Summary