I hope this post fits in this community :)
I’m trying to wrap my head around how authentication works with micro services.
Say we have a system, with a frontend, that communicates with an API gateway, which in turn communicates with all the micro services.
As I understand it, we authenticate the client in the API gateway, and if we trust the client, the request are forwarded to the micro services.
However, what is stopping a malicious actor from bypassing the API gateway and communicating directly to the micro services ?
Do we solve this problem using a firewall, so only trusted traffic reaches the micro services ?
Or do we still have API keys between the API gateway and the micro services ?
Or is there a third way ? :)
All the articles I’ve read seem to assume, that we can trust all traffic entering the micro services
I mean, both sound valid. I’d say the first option is likely the most common: some kinda firewall or private network that keeps your microservices isolated from the public internet. In a practical sense, odds are all of this stuff is physically co-located anyway, so it could even be that the networks are physically isolated as well.
Thanks for the answer :)