3 Securing north/south traffic with an API gateway

 

This chapter covers

  • Understanding the role of an API gateway
  • Improving architecture deficiencies from chapter 2
  • Deploying a microservice behind the Zuul API gateway
  • Using OAuth 2.0 for securing microservices at the edge

In chapter 2, we discussed how to secure microservices at the edge with OAuth 2.0. The focus of chapter 2 was to get things started with a straightforward deployment. The samples in that chapter were far from production-ready. Each microservice had to connect to an OAuth 2.0 authorization server for token validation and decide which OAuth 2.0 authorization server it wanted to trust. This is not a scalable model when you have hundreds of microservices and too much responsibility on the microservices developer.

3.1 The need for an API gateway in a microservices deployment

3.1.1 Decoupling security from the microservice

3.1.2 The inherent complexities of microservice deployments make them harder to consume

3.1.3 The rawness of microservices does not make them ideal for external exposure

3.2 Security at the edge

3.2.1 Understanding the consumer landscape of your microservices

3.2.2 Delegating access

3.2.3 Why not basic authentication to secure APIs?

3.2.4 Why not mutual TLS to secure APIs?

3.2.5 Why OAuth 2.0?

3.3 Setting up an API gateway with Zuul

3.3.1 Compiling and running the Order Processing microservice

3.3.2 Compiling and running the Zuul proxy

3.3.3 Enforcing OAuth 2.0-based security at the Zuul gateway

3.4 Securing communication between Zuul and the microservice

3.4.1 Preventing access through the firewall

3.4.2 Securing the communication between the API gateway and microservices by using mutual TLS

Summary