I hope this post fits in this community :)

I’m trying to wrap my head around how authentication works with micro services.

Say we have a system, with a frontend, that communicates with an API gateway, which in turn communicates with all the micro services.

As I understand it, we authenticate the client in the API gateway, and if we trust the client, the request are forwarded to the micro services.

However, what is stopping a malicious actor from bypassing the API gateway and communicating directly to the micro services ?

Do we solve this problem using a firewall, so only trusted traffic reaches the micro services ?

Or do we still have API keys between the API gateway and the micro services ?

Or is there a third way ? :)

All the articles I’ve read seem to assume, that we can trust all traffic entering the micro services

  • RonSijm@programming.dev
    4·
    16 hours ago

    However, what is stopping a malicious actor from bypassing the API gateway and communicating directly to the micro services ? Do we solve this problem using a firewall, so only trusted traffic reaches the micro services ?

    Kind of - sort of

    With this kind of setup, usually you’d put all your micro services inside a VPC. The micro services wouldn’t even be directly accessible from the internet. So it wouldn’t really be a “firewall” - but a nat gateway.

    Though conceptually a little bit the same. The API gateway is kind of acting as a firewall