Using SSL with microservices

1
votes

I am having doubts about how to secure my microservices application with SSL.

A quik situation sketch :

I have a amazon ec2 instance with a loadbalancer in front. On the ec2 instance I am running 5 microservices with a registry and a gateway application ( in a VPC ). The loadbalancer uses a certificate from the Amazon certificate manager. I also have a self signed certificate generated with the keytool.

Now the question I am having is : Should I only configure the self signed certificate for my gateway application and register the self signed certificate with the loadbalancer as a trusted certificate or should I configure the self signed certificate for every microservice also ?

Regards,

1
javaamazon-web-servicesspring-bootamazon-ec2cloud
What is the gateway application exactly? Your question is not clear.Mark B
This can't be answered without a better understanding of your internal architecture, as noted above. Depending on what a "gateway application" does, you may be able to do what it is doing with an Application Load Balancer (possibly with the addition of AWS Web Application Firewall to the ALB), eliminating points of failure and enabling better/easier scalability for your microservices. There is also a question of whether you actually require HTTPS between balancer and microservices, or if browser to balancer is sufficient (the usual reason both would be needed is compliance, not technical).Michael - sqlbot
@Michael-sqlbot the gateway application is a spring boot / angularjs application that serves as an interaction point for the user. al the requests a user does implicitly through this application get routed to a service discovery which balances the request to a specific microserice that can handle it. The microservices are all in the same vpc. So indeed maybe it could be enough to only use ssl between browser and loadbalancer which is infront of all thisArno_Geismar

1 Answers

0
votes

You want to have microservices exposed to end user, and secured with https.

If you want security, please don't use self signed certificates. Let's Encrypt is much better option.

You can use API Gateway for that, it goes with https. It may be single endpoint for your all services - then directories can lead to different services. On the other hand, if all that goes on single machine, I would use single JVM... But that is different story.

Other option is more unclear. According to comments - not only for me. If your microservices are exposed to internet - you can terminate https on your load balancers. What I don't get is that >>my gateway application<<. It looks like there is something in between end user, and microservices... If that is true then https should be terminates somewhere there.

As a side note - I have no idea why you have load balancer in front of EC2 instance. Usually LB is used in front of auto scaling group to spread load among it's instances. If you want to automate that - Elastic Beanstalk is good option.