In a monolith, security lives at the perimeter — firewall, WAF, HTTPS. Everything inside is trusted. In microservices the perimeter is everywhere. Every service is a potential attack vector. Zero trust: trust no one, verify everything.
Transport security: mTLS¶
Mutual TLS — both sides of the communication authenticate with a certificate. Service A verifies service B and vice versa. Encrypted communication + authentication in one. Certificate management is demanding — a service mesh automates it.
API Gateway as a security boundary¶
An API Gateway (Zuul, Kong, Nginx) is the single entry point. Authentication (OAuth token validation), rate limiting, IP whitelisting, request validation — all in one place. Internal services behind the gateway do not need to validate tokens (but they should).
Service-to-service authentication¶
Options: JWT tokens propagated from the gateway, service accounts with client credentials, mTLS certificates. We chose JWT propagation — the gateway validates the user token, adds service claims and forwards to internal services.
Secrets management¶
Passwords, API keys, certificates — not in code, not in environment variables (visible in docker inspect). HashiCorp Vault for centralized secrets management. Dynamic credentials with automatic rotation.
Network policies¶
Define which services are allowed to communicate. User service → Order service: yes. User service → Payment service: no (only via Order). Network micro-segmentation.
Security is an architectural decision¶
Microservices security is not an afterthought — it must be part of the design from the start. mTLS, JWT propagation, secrets management, network policies. Defense in depth.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us