Submit support requests and browse self-service resources.
Your microservices mesh — or service mesh for short — helps you control applications. But all too often, the microservices mesh can be vulnerable to security risks. Especially if you're using a microservices mesh like Istio.
In this blog, we share why securing the microservices mesh is important and how to do it.
A microservices mesh is an infrastructure layer that handles communication in microservices architecture. Using a microservices mesh makes it easy to control how applications share information with one another.
Securing the microservices mesh is important to protect your data. And the best way to secure the microservices mesh is to use an API gateway. This ensures you can prevent unauthorized data access, loss of data integrity, or degradation of the quality of service.
Security is an essential element of any organization’s API strategy. API security does share a lot of aspects that are common to both website security and network security.
But it's also fundamentally different in terms of:
For instance, APIs move the boundary of interaction from the web tier to the backend applications, microservices, and data sources directly.
Emerging microservices architectural concepts create new security challenges for DevOps teams. This includes concepts such as sidecars and platforms to inject sidecars into container pods. That's because new layers of abstraction are introduced into an already complex system of components and protocols. This is especially critical for emerging technologies like Kubernetes.
Securing the Edge API and Microservices MeshLearn how to build a strong API security strategy. Get our white paper to learn how to secure the edge API and microservices mesh. 📕 GET THE WHITE PAPER
Learn how to build a strong API security strategy. Get our white paper to learn how to secure the edge API and microservices mesh.
📕 GET THE WHITE PAPER
Using an API gateway is the best way to secure the microservices mesh. And the best API gateway to do it? That's the Akana API gateway.
In the table below, we show how the Akana API platform can be used to secure the microservices mesh of Istio sidecars.
Microservices Mesh of Istio Sidecars
Akana API Platform
v8.4 Mature Allow and deny rules configurable with a policy administration declarative user interface (UI).
v8.4 Mature Allow and deny rules configurable with a policy administration declarative UI.
Pluggable Key/Cert Support for Istio CA
v8.4 Mature Integrated Java PKI and HSM keystores.
Service-to-service mutual TLS
v8.4 Mature With the ability to enforce mutual TLS 1.2.
Kubernetes: Service Credential Distribution
v8.4 Mature Policy decision point (DB) and policy enforcement point (gateway) contract management architecture.
VM: Service Credential Distribution
Mutual TLS Migration
v8.4 Mature Client certificate management is self service for apps consuming mutual TLS APIs More info: How to implement 2-way SSL.
Traffic Control: Label/content based routing, traffic shifting
v8.4 Mature Visual Process Designer to create custom traffic flows using the branch, split, and join process activities.
Resilience features: Timeouts, retries, connection pools, outlier detection
v8.4 Mature Resilience features with many QoS policy templates and integrated health status monitoring of a container’s outgoing HTTP connection pool statistics, incoming HTTP thread pools, database connection pools, container memory usage, usage monitoring queues, JMS connections, container configuration state, and container lifecycle.
Gateway: Ingress, egress for all protocols
v8.4 Mature Protect the microservices mesh layer of the network with a tier of edge DMZ API gateways, rather than connecting the mesh controller directly to a cloud load balances.
TLS termination and SNI support in gateways
v8.4 Mature The API platform's support of SNI means that multiple keys/certificates can be used for one HTTPS endpoint. You can have individual identity keys/certificates per API implementation. Each implementation can use its own key/certificate for its own clients.
1.0.1 Alpha Operators specify Istio authorization policies using .yaml files. Once deployed, Istio saves the policies in the Istio Config Store.
v8.4 Mature Easily link different identity providers and policies to different APIs and application contracts with an integrated Akana OAuth server, Bearer, MAC, JWT, JOSE token support, and easy integration with user directories and OpenID Connect providers. More info: Using the JOSE Security Policy.
End User (JWT) Authentication
1.0.1 Alpha Istio only supports JWT origin authentication.
v8.4 Mature A key advantage of the Bearer token is that the Resource Server can validate the token, without having to go to the Authorization Server. This is more efficient in terms of performance, especially when the Resource Server and OAuth Provider are different vendors. Signed and Encrypted JWT Tokens are also supported by the Akana API Gateway.
1.0.1 Alpha All policies in OPA are written in Rego policy language (V1)
v8.4 Mature Create authentication domains and policies declaratively with a web browser.
1.0.1 Alpha The RbacConfig object is a mesh-wide singleton with a fixed name value of default. You can only use one RbacConfig instance in the mesh. Like other Istio configuration objects, RbacConfig is defined as a Kubernetes CustomResourceDefinition (CRD) object.
v8.4 Mature The Akana OAuth Authorization service includes such activities as initiating a resource owner grant, authenticating the resource owner with the corresponding resource owner domain, and obtaining the resource owner's authorization for the application's access to the resources, with the specific scopes requested. Calls to this service are always initiated by the resource owner, never by the application. Since the authorization endpoint is only used in three-legged scenarios, these operations are only used by three-legged grant types (Authorization Code and Implicit).Additionally, Licenses and Scopes provide authorization functionality to apps and APIs with or without the use of an OAuth token. More info: Authorization server authorization service.
Enabling custom filters in Envoy
v8.4 Mature Filtering of protocol headers, path, query parameters, and XML or JSON message parts with XPath, JSONPath, RegEx using policies, or custom processes More info: Using regular expressions in policies.
*This table uses open source servicemesh 1.0.1, beta and alpha features compared to version 8.4 of the Akana API Platform. This clearly illustrates why it is imperative to leverage the features of a mature API gateway architecture on the edge of the cloud and in the core of the service mesh for proper authentication, authorization, mediation, and resiliency.
The Akana API gateway makes it easy to secure the microservices mesh.
With the Akana API gateway, you gain:
You can deploy the Akana API gateway across multiple clouds, and you can use it alongside technologies like Istio and Kubernetes.
Plus, Akana comes with built-in security policies that you can apply fast. This includes OAuth and JWT.
In fact, the strength of the Akana API gateway is why a Fortune 500 company chose Akana. Read the case study >>
See for yourself why the Akana API gateway is the best choice to secure the microservices mesh. Get started with your free 6-month trial.
Try Akana for Free▶️ Watch a Demo First
Explore additional resources:
API Security & Integration Architecture, Akana
Ryan Bagnulo has implemented API integration and security and privacy solutions for hundreds of global transactional systems over the past 2 decades, with deep technical experience in investment banking high performance grid computing as well as connected electronic medical devices and international regulatory compliance. Ryan was the first chief security officer and the head of Solution Architecture for Joyent, a container focused cloud IaaS startup in 2010, and has worked with a number of Silicon Valley startups on cloud API IoT and Microservices innovations.