9 Securing reactive microservices

This chapter covers

Using Kafka as a message broker for interservice communications
Using TLS in Kafka to secure messages in transit
Using mTLS to authenticate microservices connecting to Kafka
Controlling access to Kafka topics using access control lists
Using NATS for reactive microservices

In chapter 6 and chapter 7, we discussed how to secure service-to-service communications with mTLS and JWT. Chapter 8 extended that discussion and explained how mTLS and JWT can be used to secure communications happening over gRPC. In all those cases, our examples assumed synchronous communications between the calling microservice and the recipient microservice. The security model that you develop to protect service-to-service communications should consider how the actual communications take place among microservices: synchronously or asynchronously.

In most cases, synchronous communications happen over HTTP. Asynchronous communications can happen over any kind of messaging system such as RabbitMQ, Apache Kafka, NATS, ActiveMQ, or even Amazon SQS. In this chapter, we discuss how to use Kafka and NATS as a message broker, which enables microservices to communicate with each other in an event-driven fashion, and how to secure the communication channels.

9.1 Why reactive microservices?

9.2 Setting up Kafka as a message broker

9.3 Developing a microservice to push events to a Kafka topic

9.4 Developing a microservice to read events from a Kafka topic

9.5 Using TLS to protect data in transit

9.5.1 Creating and signing the TLS keys and certificates for Kafka

9.5.2 Configuring TLS on the Kafka server

9.5.3 Configuring TLS on the microservices

9.6 Using mTLS for authentication

9.7 Controlling access to Kafka topics with ACLs

9.7.1 Enabling ACLs on Kafka and identifying the clients

9.7.2 Defining ACLs on Kafka

9.8 Setting up NATS as a message broker

Summary