spring-bootspring-securitymicroservicesaws-api-gatewaykubernetes-service

AWS API gateway with Kubernetes services


I am trying to learn AWS services, and now it is mainly focused on API Gateway. I understand some benefits of API gateway as listed below.

Still i am not sure whether we can use API Gateway Infront of some Kubernetes services we deployed in EKS. For instance, lets consider these services are some microservices in spring boot which responds to http requests, and contains some custom authentication/authorization mechanism using spring security.

Do we really need API Gateway endpoint Infront of such services? Also I would like to know what is standard/preferred way to create an infrastructure in AWS for such services.


Solution

  • Short answer is: no, you don't have to but you probably should.

    Usually, EKS would be deployed in a private VPC and, even if you can make it public in other ways, a VPC link from the API gateway and network/application load balancer is probably the safest way.

    Imagine the case where someone deploys an insecure service in EKS. If you expose the cluster, you risk having security issues. Again, there are ways to secure the Kubernetes cluster for those cases as well. It would also facilitate SSL (in addition to the feature you already listed).

    I would say that you best practice in AWS would be to use API gateway for authentication and your micro services as resources where you check the auth (in Cognito f.ex.).

    That being said, that would make you project AWS dependent.

    Alternative would be to implement your own gateway and security in your Kubernetes cluster which could be done with a service mesh like Istio or similar.

    In any cases, don't do security at the services level only. You can never assume that all services will be secured.