6 Securing east/west traffic with certificates
This chapter covers
- Creating certificates and securing microservices with mutual Transport Layer Security (mTLS)
- Challenges in certificate management, trust bootstrap, and certificate revocation
- Solutions and workarounds to securing microservices with mTLS
In chapters 3, 4, and 5, we discussed how to expose a microservice as an API via a secure API gateway and to apply other quality of service features such as throttling and monitoring. That’s all part of the edge security in a typical microservices deployment. Edge security deals with authenticating and authorizing the end-user, which is a system accessing a microservice on behalf of a human user or another system. When the security screening at the edge is done, the end-user context is passed to the upstream microservices.
In this chapter, we discuss securing communications among microservices with mutual Transport Layer Security (mTLS). mTLS is the most popular option for securing communications among microservices.
6.1 Why use mTLS?
When you buy something from Amazon, for example, all your credit card information flows from your browser to Amazon’s servers over Transport Layer Security (TLS), and no one in the middle can see what it is. When you log in to Facebook, your credentials flow from your browser to Facebook’s servers over TLS, and no one in the middle can intercept the communications and find out what those are.