Monolithic applications have less surface area when compared to microservices, however, microservices are distributed systems by nature. Also, in principle, microservices are isolated from each other; hence, well-implemented microservices are more secure as compared to monolithic applications. A monolith has different attack vectors compared to microservices. The microservice architecture style forces us to think differently in the context of security. However, let me tell you upfront, microservice security is a complex domain to understand and implement.
Before we dive deep into microservice security, let's understand our approach toward it. We will be focusing more on how authentication and authorization (collectively referred to as auth in the chapter henceforth) work and the options available within the .NET ecosystem.
We will explore Azure API management and its suitability as an API gateway for .NET-based microservice environments; we'll also see how Azure API management can help us protect microservices through its security features. Then, we'll briefly touch base with different, peripheral aspects that have defense in depth mechanisms for microservice security. We will also discuss the following topics:
- Why are form authentication and older techniques not sufficient?
- Authentication and the available options, including OpenID and Azure Active Directory
- Introducing OAuth 2.0
- Introducing Azure API management as an API gateway
- Using Azure API management for security
- Interservice communication security approaches
- Container security and other peripheral security aspects