@dsyer Great project / tutorial! Maybe you receive these kind of question a lot but I still need to ask. Let say I leverage microservice architecture where I only expose my API gateway (Zuul in this case) to the outside world. Do we still need to protect our microservices API with this kind architecture choice? Thanks
That's what @ccit-spence was asking I think. It's up to you. Often there are auditing or business requirements that demand at least identity level security for back ends. But it depends on the application.
@wmfairuz We are still finalizing the approach. I want it to be as simple as possible. One thought is that Zuul uses Spring Security and can access API’s via Ribbon. None of the internal only API’s would have routes within Zuul. Our platform is within AWS VPC’s. The idea for security would be to isolate the API’s via Security Groups.
It is still a work in progress and might change. @dsyer is right about the identity possibly being needed at the API level.