I’m currently faced with the problem of securing my services so that only the API gateway (or any other authorized services like aggregators, e.t.c) can directly access it. I’m using the express-gateway framework to bootstrap my API gateway for the NodeJs powered services. The gateway is supposed to handle the authentication for the whole system and serve as a proxy between authorized requests and the services. Currently, I can’t find anything in the docs that provide such functionality to provide some sort of auth between the services and the gateway. Right now, the microservices are open to external use by any client who knows the URL (or port) of the microservice thereby bypassing the gateway which should handle auth and the like.
I’ve done some research and one possible solution to the problem restrict service access to only the IP of the gateway. But in terms of scalability, the number of instances of gateways deployed might change and so new IPs can be added. So this way out seem faulty. I’ve also read about creating private IPs (or network) for the services but I can’t seem to figure out how that can help.
The plan is to deploy the instances of the microservices here on Digital Ocean while using Kubernetes to orchestrate the whole system. Hope that gives some context of the production environment. I would appreciate any help or solution out of this problem. Also, if there are some issues with my architecture, please let me know. Thanks a lot.