0

I'm aiming at applying an api pattern as can be described for instance on https://medium.com/design-microservices-architecture-with-patterns/api-gateway-pattern-8ed0ddfce9df

As it mentions, "since API Gateway handle client request in centralized placed, its best practice to implement cross cutting functionality on the API Gateways" such as authentication and authorization.

I'm wondering about MITM attacks.

We can make sure microservices are only called by the gateway when whitelisting only the gateway IP, that would be a network safety. But I think this network-level protection shouldn't exclude application-level protection. Only another security at application level (mutual TLS?) would protect the microservices from MITM attacks.

So as a conclusion for a most-perfectly-safe application platform, is api offloading pattern really recommended? And if mitm is a real risk then what's best to add to the pattern to make it real safe?

zg2pro
  • 17
  • 1
  • 7
  • 1
    Microservices are communicating in the private network, which means there is no chance to exploited MITM attack between API G/W and other micro-services. private network is trust zone, so even they are communicating via HTTP, not HTTPS. – JK Park Sep 23 '22 at 13:47
  • Hi @JKPark The thing is because some customers want to keep control of some of their secrets we have a kind of special structure. Often our components are deployed on-premise, and it even occurs that gateway and some components will be hosted on one machine. So in my case I can't rely on a "private network" assumption. Any advice then on our path to follow? – zg2pro Sep 27 '22 at 11:26

0 Answers0