0

I have a micro service architecture like below:

  1. Spring Cloud Config Server has all the configuration for all the services.
  2. Eureka Server that registered each services and holds the information about all client-service applications.
  3. Zuul GateWay Server provides a single point for accessing all the services.
  4. OAuth2 Server that authenticates and generating the token for accessing the protected services.
  5. Services A,B and C are the expose rest endpoint that are called by client app. All these service are protected as resource server and should be accessed with token generated by authenticating in Oauth2 Server.

My question is regarding the Spring Cloud Config Server, Eureka Server and Zuul Gateway server. Should these service of be protected as Service A,B and C. If not , how do we secure them?

I am having a hard time to understand how it will work if i secure the Configuration server as protected resource. Because if i made it as protected resource the eureka server , gateway server and all other service depends on the configuration of the configuration server.

I will appreciate any help by you guys.

Regards.

  • 1
    As a first measure you could make it so the config server is only accessible on your internal network. If you were to actually secure config server it would come down to 'where do I hide the secrets to get my config'... and then how do I secure that location. This stack overflow kind of 'hardcodes' the secrets and lets the user come up with the solution.. https://stackoverflow.com/questions/29605201/how-to-secure-spring-cloud-config-server Sorry I can't be of more help. – TJReinert Apr 19 '20 at 16:29
  • 1
    First you should know what micro-services will be exposed outside, so as large companies have implemented their micro-services, so they keep several instances for Gateway service, then this is the unique service which will be exposed and this should be configured/protected with security properly, then others micro-services should be only accessible on your internal network in order to communicate between them internally. Just make sure that your micro-services are not exposed directly but by Gateway. – Jonathan JOhx Apr 19 '20 at 16:34

1 Answers1

0

Whether or not you protect these resources depends on your deployment architecture and security requirements.

Generally, the Zuul Gateway Server service is available on an external network, while the Spring Cloud Config Server and Eureka Server services are only available on a secure network.

Each microservice in the microservice architecture must be responsible for its own security, i.e. each service must have security enabled.

Access to each microservice must be obtained through the authorization and authentication service.

Thus, there is no need to enable the protection of the Zuul Gateway Server and it becomes a dumb proxy.

But if necessary each of these services can have protection enabled::

V. Mokrecov
  • 1,014
  • 1
  • 11
  • 20