Do I need to secure communications between microservices in a cluster?

Question

So, let's say I have a standard set up for application, that is:
- split into micro services
- and is running in a cluster (kubernetes or docker swarm, I guess specific implementation does not matter, just the main idea),
- there's a API gateway, that faces internet and authenticates all the incoming external requests.

So far, so good, now what to do with communication between services?

Do I need to encrypt communication between micro services in same cluster, do I need to perform authentication/authorization between them or I should trust cluster's networking and doing this would be not needed redundancy?

score 5 · Answer 1 · answered May 23 '18 at 12:16

It depends, what are they actually doing?

If you’re handling health or banking records, you should probably secure the communications since there is usually a legal requirement to do so.

If you’re pushing around cat videos, maybe not.

But one thing to consider is that having the security in place makes it way easier to handle georedundancy and other sort of disaster recovery scenarios which will force your microservices to be not colocated.

Do I need to secure communications between microservices in a cluster?

1 Answers1