Microservices Security at the Edge

There are two approaches to Microservices security 

1. Network-centric-approach

Keep the private microservices on an externally unroutable private shared sub-domain. Private services can only be accessed among themselves and from public microservices. Inbound security is implemented by adding a HAProxy acting as a layer 7 HTTP filter  behind the public ELB. Egress security is configured with PCF Application security groups. 

1. https://blog.starkandwayne.com/2014/10/31/public-and-private-microservices-on-the-same-cloud-foundry/
2. PCF CookBook - AWS Private Sub-Domains 

2. Application-centric-approach

Leverage Spring-cloud-Zuul + spring-security-oauth2 to secure microservices reverse proxied by Zuul.  The API calls proxied by Zuul are protected using the OAuth2 protocol. Zuul proxied APIs can be protected using any security mechanism - not just Spring-Security. Spring security makes it easier to protect resources with less boilerplate.

The software based approach is explained in 

1. https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v
2. https://spring.io/blog/2015/01/28/the-api-gateway-pattern-angular-js-and-spring-security-part-iv

These articles explain how to how to build an API Gateway to control the authentication and access to the backend resources using Spring Cloud.  Please note that when using the application-centric approach, the service endpoints are not blocked, they are protected with the security scheme put in place with Spring. Some clever hacker could still figure out the endpoint of the internal service bypassing the API Gateway tier; however since the resources are protected they will not be able to access anything.