Security is no longer an afterthought in information systems design—it is a fundamental requirement of any system that we design today. In a microservices architecture, security becomes increasingly important since it exposes a much larger surface area to consumers (both genuine users and non-genuine users) due to the increased number of independent services that are deployed as microservices. Some traditional security mechanisms used in the enterprise world will not work well in a microservices context. We will discuss the security of microservices by considering the following two traffic flow patterns we have looked at in previous chapters:

• Security of North-South traffic
• Security of East-West traffic

In Chapter 6, A Practical Example of Microservices with NATS, we briefly discussed how an application programming interface (API) gateway can provide security features to the microservices for North...

In this chapter, we will be configuring the NATS server to enable security for client-server and server-server communication. In addition to that, we will implement a few sample applications in the Go programming language to try out client-server communication with security enabled. The following software components need to be installed on your computer to try out the examples mentioned in this chapter:

• Installation of the NATS server
• Installation of the Go programming language

The full source code of the examples used in this chapter can be found at https://github.com/PacktPublishing/Designing-Microservices-Platforms-with-NATS/tree/main/chapter7.

Microservices architectures encourage decomposing an application into small (in scope), autonomous units that can be managed and deployed independently. If we compare this with a traditional monolithic application, one major difference is that a microservices architecture opens the security of the platform to a wider surface area. In a monolithic application, most of the communication happens within the application itself inside the same server and runtime, hence it does not require any advanced security for internal communication. But in the world of microservices, we need to secure the communication coming into the services (North-South traffic) as well as within the services (East-West traffic). The following diagram depicts this concept of two types of security that need to be handled in a microservices architecture:

Figure 7.1 – Microservice security for North-South and East-West...

As we discussed in the previous section, OAuth2.0 is becoming the standard when it comes to securing APIs and microservices. In this section, we will see how we can implement OAuth 2.0-based security for microservices, with a few options that are available.

Implementing security at each microservice level

Given that microservices are developed by autonomous teams, they have the freedom to select the best technology stack for their respective microservices. At the same time, we have discussed that certain things need to be adhered to by all the microservices teams for better governance. Security is one such aspect that different teams need to agree on. It would help the clients of these services to follow a common, standards-based approach to consume these services.

Once the teams have agreed upon a certain approach—let's say, to use OAuth 2.0 as the security protocol to implement microservices—the next step is to implement...

The security of ISC (East-West within a microservices architecture needs to complement the security that is applied to North-South communication. One major difference between the security of North-South communication and the security of East-West communication is that the former deals with external systems and applications while the latter deals with internal systems. That allows us to consider options for ISC other than North-South communication.

Given that we use the NATS messaging platform as the intermediate component for ISC, the security implementation will depend on the security capabilities offered by NATS. We discussed the security features available in NATS in Chapter 3, What Is NATS Messaging?, and Chapter 4, How to Use NATS in a Microservices Architecture?, in detail. Let's first discuss how those features fit into the overall microservices security aspect and then implement a couple of options with a few examples using our Out Patient Department ...

In this section, we will learn to secure microservices with the NATS server by configuring the NATS server and implementing code samples to try out different options discussed in the preceding sections.  

Implementing TLS with NATS for microservices

Let's set up a NATS server cluster with TLS and connect to it from our sample code.

Setting up a NATS cluster with TLS

The TLS configuration for the NATS server consists of two separate sections to secure client-server communication as well as server-server communication for clustering. In addition to that, the NATS server monitoring port also needs to be configured for TLS-based security. The steps mentioned next allow you to configure NATS servers with TLS security:

1. Since we are setting up a test environment, we will use a self-signed certificate to implement TLS security. To create certificates, we will be using the cfssl tool maintained by Cloudflare (https://github.com/cloudflare...

In this chapter, we discussed how security in microservices can be implemented for both North-South traffic and East-West traffic. We started the chapter by discussing the different approaches we can follow to implement security for the external consumers of microservices. Then, we moved into the topic of ISC and discussed how NATS can be used to implement security for internal communications. Later in the chapter, we configured a three-node NATS server cluster with TLS security for both client-server and server-server communication with self-signed certificates. In the end, we added authentication and authorization on top of TLS, configured the NATS server cluster with additional security, implemented a few Go programs to connect with the NATS cluster, and verified the functionality. You have learned the security aspects of microservices architectures by reading the concepts presented in this chapter as well as by trying out the sample configurations and source code samples...