Securing the Microservices Mesh With an API Gateway
Security is an essential element of any organization’s API strategy. While API security shares a lot of aspects that are common to both website security and network security, it's also fundamentally different both in terms of usage patterns as well as the unique areas of additional risks that microservices and sidecars are susceptible to. For instance, APIs move the boundary of interaction from the web tier to the backend applications, microservices and data sources directly.
Securing the microservices mesh with an API Gateway is a best practice that API providers and microservices mesh builders can put in place to prevent unauthorized data access, loss of data integrity, or the degradation of the quality of service.
Emerging microservices architectural concepts such as sidecars and platforms to inject sidecars into container pods present DevOps teams with new security challenges to solve as new layers of abstraction are introduced into an already complex system of components and protocols.
The following juxtaposition of open source servicemesh 1.0.1, beta and alpha features compared to version 8.4 of the Akana API Platform clearly illustrates why it is imperative to leverage the features of a mature API Gateway architecture on the edge of the cloud and in the core of the servicemesh for proper authentication, authorization, mediation, and resiliency.
|Microservices mesh of Istio Sidecars||Akana API Platform|
|Deny Checker||1.0.1 Stable||v8.4 Mature Allow and deny rules configurable with a policy administration declarative user interface (UI)|
|List Checker||1.0.1 Stable||v8.4 Mature Allow and deny rules configurable with a policy administration declarative UI|
|Pluggable Key/Cert Support for Istio CA||1.0.1 Stable||v8.4 Mature Integrated Java PKI and HSM keystores.|
|Service-to-service mutual TLS||1.0.1 Stable||v8.4 Mature With the ability to enforce mutual TLS 1.2|
|Kubernetes: Service Credential Distribution||1.0.1 Stable||v8.4 Mature Policy decision point (DB) and policy enforcement point (Gateway) contract management architecture|
|VM: Service Credential Distribution||1.0.1 Beta||v8.4 Mature Policy decision point (DB) and policy enforcement point (Gateway) contract management architecture|
|Mutual TLS Migration||1.0.1 Beta||v8.4 Mature Client certificate management is self service for apps consuming mutual TLS APIs More info: How to implement 2-way SSL|
|Traffic Control: Label/content based routing, traffic shifting||1.0.1 Beta||v8.4 Mature Visual Process Designer to create custom traffic flows using the branch, split, and join process activities|
|Resilience features: Timeouts, retries, connection pools, outlier detection||1.0.1 Beta||v8.4 Mature Resilience features with many QoS policy templates and integrated health status monitoring of a container’s Outgoing HTTP connection pool statistics, Incoming HTTP thread pools, database connection pools, container memory usage, usage monitoring queues, JMS connections, container configuration state, and container lifecycle|
|Gateway: Ingress, egress for all protocols||1.0.1 Beta||v8.4 Mature Protect the microservices mesh layer of the network with a tier of edge DMZ API Gateways, rather than connecting the mesh controller directly to a cloud load balances|
|TLS termination and SNI support in gateways||1.0.1 Beta||v8.4 Mature The API platform's support of SNI means that multiple keys/certificates can be used for one HTTPS endpoint. You can have individual identity keys/certificates per API implementation. Each implementation can use its own key/certificate for its own clients.|
|Authentication policy||1.0.1 Alpha Operators specify Istio authorization policies using .yaml files. Once deployed, Istio saves the policies in the Istio Config Store.||v8.4 Mature Easily link different identity providers and policies to different APIs and application contracts with an integrated Akana OAuth server, Bearer, MAC, JWT, JOSE token support, and easy integration with user directories and OpenID Connect providers. More info: Using the JOSE Security Policy|
|End User (JWT) Authentication||1.0.1 Alpha Istio only supports JWT origin authentication.||v8.4 Mature A key advantage of the Bearer token is that the Resource Server can validate the token, without having to go to the Authorization Server. This is more efficient in terms of performance, especially when the Resource Server and OAuth Provider are different vendors. Signed and Encrypted JWT Tokens are also supported by the Akana API Gateway.|
|OPA Checker||1.0.1 Alpha All policies in OPA are written in Rego policy language (V1)||v8.4 Mature Create authentication domains and policies declaratively with a web browser|
|Authorization (RBAC)||1.0.1 Alpha The RbacConfig object is a mesh-wide singleton with a fixed name value of default. You can only use one RbacConfig instance in the mesh. Like other Istio configuration objects, RbacConfig is defined as a Kubernetes CustomResourceDefinition (CRD) object.||v8.4 Mature The Akana OAuth Authorization service includes such activities as initiating a resource owner grant, authenticating the resource owner with the corresponding resource owner domain, and obtaining the resource owner's authorization for the application's access to the resources, with the specific scopes requested. Calls to this service are always initiated by the resource owner, never by the application. Since the authorization endpoint is only used in three-legged scenarios, these operations are only used by three-legged grant types (Authorization Code and Implicit).|
Additionally, Licenses and Scopes provide authorization functionality to apps and APIs with or without the use of an OAuth token. More info: Authorization server authorization service
|Enabling custom filters in Envoy||1.0.1 Alpha||v8.4 Mature Filtering of protocol headers, path, query parameters, and XML or JSON message parts with XPath, JSONPath, RegEx using policies, or custom processes More info: Using regular expressions in policies|
For additional information on securing the edge API and microservices mesh, download this full white paper by clicking below.