6 Securing east/west traffic with certificates

In chapters 3, 4, and 5, we discussed how to expose and secure a microservice as an API via an API gateway and to apply other quality-of-service features such as throttling and monitoring. That’s all part of the edge security in a typical microservices deployment. Edge security deals with authenticating and authorizing the end user, which is a system accessing a microservice on behalf of a human user or another system. When the security screening at the edge is completed, the end-user context is passed to the upstream microservices.

In this chapter, we discuss securing communications among microservices with mutual Transport Layer Security (mTLS). mTLS is the most popular option for securing communications among microservices.

6.1 Why use mTLS?

When you buy something from Amazon, for example, all your credit card information flows from your browser to Amazon’s servers over TLS, and no one in the middle can see what it is. When you log in to Facebook, your credentials flow from your browser to Facebook’s servers over TLS, and no one in the middle can intercept the communications and find out what those are.

6.1.1 Building trust between a client and a server with a certificate authority

6.1.2 Mutual TLS helps the client and the server to identify each other

6.1.3 HTTPS is HTTP over TLS

6.2 Creating certificates to secure access to microservices

6.2.1 Creating a certificate authority

6.2.2 Generating keys for the Order Processing microservice

6.2.3 Generating keys for the Inventory microservice

6.2.4 Using a single script to generate all the keys

6.3 Securing microservices with TLS

6.3.1 Running the Order Processing microservice over TLS

6.3.2 Running the Inventory microservice over TLS

6.3.3 Securing communications between two microservices with TLS

6.4 Engaging mTLS

6.5 Challenges in key management

6.5.1 Key provisioning and bootstrapping trust

6.5.2 Certificate revocation