If you implement a Microservice-Architecture, you will – sooner or later – have to deal with the cross cutting concern of client authentication and general securities questions. In this article I will discuss a few options.
Why you should use an API-Gateway
An API-Gateway is a single unified point of entry for all API-Calls for your infrastructure. They often provides features like throttling, analytics/monitoring.
Pros
Security and Performance are main pros for an API-Gateway. Moreover, it decouples client code from you microservices structure.
- Hide internal structure of your microservices, Sub-domain Abstraction from Client-Side Components
- Request aggregation (one request against gateway and gateway dispatches several ones towards internal microservices)
- API Lifecycle Management (versioning)
- Reduce security attack surface
- Decrease client round trips (client only needs e.g. one (SSL-)handshake)
- Monitoring, Logging and Analytics
- Protection against security vectors like SQL Injection, XML Parser exploits, and denial-of-service (DoS) attacks
- Mixing communication protocols in microservices
- Supporting documentation
- unify common concerns of microservices such as
- authentication
- CORS
- IP whitelisting
- token validation
- user access control
- rate limiting and throttling
- caching
Cons
- increases deployment / infrastructure complexity
- potential performance bottleneck and SPOF
- coupling of API-Gateway with microservices
Why should you Zero-Trust?
Traditional networking: green vs red zone, internal vs public. At the border: firewalls! Inside: (maybe) segmentation (vnets). The basic assumption is: I trust traffic in the inside. And on a technical note: IP-addresses are not reliable in the cloud …
Also, (“new”) security vector: it is inside (employee, contractor) and especially in the cloud you don’t control “the” network – because there are multiple and you don’t control them, e.g. the contractor from its office and network connecting to you cloud infrastructure.
Benefits
- Better visibility into data, assets and risks.
- Consistent and comprehensive security.
- Speed and agility to stay ahead of evolving technologies.
- Reduced operational cost and complexity.
References
- https://docs.microsoft.com/en-us/dotnet/architecture/microservices/architect-microservice-container-applications/direct-client-to-microservice-communication-versus-the-api-gateway-pattern
- https://www.pogsdotnet.com/2018/08/api-gateway-in-nutshell.html