Security between microservices

Question

I have two microservices, for example, A and B. The microservice B has the rest enpoint that must be accessible only from the microservice A. How can I limit access between microservices? What is the best practice if at all possible?

I'm using spring cloud security (oauth2, jwt).

Answer 1

This is a networking issue. Simply restrict access to micro service B at a network level. This can be easily done if using Docker for example. You would just not publicly expose the relevant port for micro service B but expose it on a specific network then have micro service join that network.

You could use public/private keys if you wanted to add extra security. Alternatively, it would be simpler to generate a JWT for application A and validate it in micro service B but as you add more micro services this has more management overhead.

Alternatively, you should look into an API Gateway which can handle API access for you

Answer 2

Have another microservice that's not so much responsible for a business problem, but for a non-functional business problem : security.

This microservice is logical (as all microservices should be logically responsible for a business problem) and isn't deployed on its own, but rather deployed with other microservices. Then build a proper API that both microservice A and B are aware of and are mandatory to execute, before accepting any calls or executing calls.

Where other microservices should be part of some business related boundary (bounded context, if you will) the security microservice is within the boundary of a non-functional requirement. You could call this IT/Ops or Devops or something.