Search code examples
microservices

Microservices internal communication

I'm learning APIs with microservies architect. Here is small description about the setup

  • I've two microservice applications and API gateway
  • All the applications including API gateway is nodeJs - express app.
  • Auth logic - JWT, handled on API gateway
  • Pass each incoming API gateway request to each of the microservice applications using http-proxy.
  • Also passes the user info as proxy header.

Client request flow:
Client requesting API1 from microservice1 with JWT token which will be authenticated at API gateway and then information will be served from microservice1. which is fine.
But I've one private API2 which should not be allowed from client side. Only internal applications can use it, but it should be callable upon another request from the client side.

eg. 

client request -> /API/Gateway1 (has JWT)
/API/Gateway1 -> API1 (has valid user)
API1 -> /API/Gateway2 (has valid user)
/API/Gateway2 -> API2 (has valid user)

Question:
How can I protect API2 from the client side, what if client fakes the valid user header.

Solution

  • What you want to do is prevent API2 from accepting outside traffic, there are a number of ways you can do this for example:-

    1. White-list a set of IP addresses that correspond to the possible IP addresses of API1
    2. Put all your APIs in a VPN and only expose API1 to public traffic
    3. create some internal auth strategy such as have API1 sign requests to API2 with some secret key.