Chapter 3. Securing north/south traffic with an API gateway

Chapter 3 from Microservices Security in Action by Prabath Siriwardena and Nuwan Dias

This chapter covers

  • The role an API gateway in a microservices deployment
  • The deficiencies in the architecture we followed in chapter 2 in securing a microservice, and how to improve
  • Why OAuth 2.0 is the de facto standard for securing microservices at the edge
  • How to deploy a microservice behind the Zuul API gateway and secure it with OAuth 2.0

In chapter 2, we discussed how to secure microservices at the edge with OAuth 2.0. The focus of chapter 2 was to get things started with a quite straightforward deployment. The samples there were far from production ready. Each microservice had to connect to an OAuth authorization server for token validation and decide which OAuth authorization server it wanted to trust. This is not a scalable model when you have hundreds of microservices and too much responsibility on the microservices developer. Please note that, when we say just OAuth, we in fact mean OAuth 2.0 – and if you are not familiar with OAuth, we recommend you go through the appendix D first.

3.1      The need for an API gateway in a microservices deployment

3.1.1  Decoupling security from the microservice

3.1.2  The inherent complexities of microservice deployments make them harder to consume

3.1.3  The rawness of the microservices does not make them ideal for external exposure

3.2      Security at the edge

3.2.1  Understanding the consumer landscape of your microservices

3.2.2  Delegating access

3.2.3  Why not basic authentication to secure APIs?

3.2.4  Why not Mutual TLS to secure APIs?

3.2.5  Why OAuth 2.0?

3.3      Setting up an API gateway with Zuul

3.3.1  Compiling and running the Order Processing microservice

3.3.2  Compiling and running the Zuul proxy

3.3.3  Enabling OAuth 2.0-based security at the Zuul gateway

3.4      Securing communication between Zuul and the microservice

3.4.1  Preventing access through the firewall

3.4.2  Securing the communication between the API gateway and microservices by using mutual TLS

3.5      Summary