Securing Microservices (API-Gateways and Zero-Trust)

If you implement a Microservice-Architecture, you will – sooner or later – have to deal with the cross cutting concern of client authentication and general securities questions. In this article I will discuss a few options.

Why you should use an API-Gateway

An API-Gateway is a single unified point of entry for all API-Calls for your infrastructure. They often provides features like throttling, analytics/monitoring.

Pros

Security and Performance are main pros for an API-Gateway. Moreover, it decouples client code from you microservices structure.

  • Hide internal structure of your microservices, Sub-domain Abstraction from Client-Side Components
  • Request aggregation (one request against gateway and gateway dispatches several ones towards internal microservices)
  • API Lifecycle Management (versioning)
  • Reduce security attack surface
  • Decrease client round trips (client only needs e.g. one (SSL-)handshake)
  • Monitoring, Logging and Analytics
  • Protection against security vectors like SQL Injection, XML Parser exploits, and denial-of-service (DoS) attacks
  • Mixing communication protocols in microservices
  • Supporting documentation
  • unify common concerns of microservices such as
    • authentication
    • CORS
    • IP whitelisting
    • token validation
    • user access control
    • rate limiting and throttling
    • caching

Cons

  • increases deployment / infrastructure complexity
  • potential performance bottleneck and SPOF
  • coupling of API-Gateway with microservices

Why should you Zero-Trust?

Traditional networking: green vs red zone, internal vs public. At the border: firewalls! Inside: (maybe) segmentation (vnets). The basic assumption is: I trust traffic in the inside. And on a technical note: IP-addresses are not reliable in the cloud …

Also, (“new”) security vector: it is inside (employee, contractor) and especially in the cloud you don’t control “the” network – because there are multiple and you don’t control them, e.g. the contractor from its office and network connecting to you cloud infrastructure.

Benefits

  • Better visibility into data, assets and risks.
  • Consistent and comprehensive security.
  • Speed and agility to stay ahead of evolving technologies.
  • Reduced operational cost and complexity.

References

  • https://docs.microsoft.com/en-us/dotnet/architecture/microservices/architect-microservice-container-applications/direct-client-to-microservice-communication-versus-the-api-gateway-pattern
  • https://www.pogsdotnet.com/2018/08/api-gateway-in-nutshell.html