I. Encrypting pod-to-pod communications and restricting external connections
In this section, we show how you can secure a micro-services application without in-depth knowledge of its inner workings.
The pod label
project=companystore automatically becomes a tag in Aporeto.
We use this tag to:
- Allow all of the pods that are a part of the application to communicate with each other.
- Encrypt pod-to-pod communications.
- Restrict pod communications outside of the cluster to the minimum necessary.
Importing the external network and network policy definition
We provide a predefined YAML file containing the external networks and network policies. You can use either of the following methods to import it.
If you have
apoctl installed, you can use the following command to import the YAML file.
cat <<EOF | apoctl api import -n $APOCTL_NAMESPACE/cluster1/hipster-dev -f - APIVersion: 0 data: externalnetworks: - associatedTags: - 'ext:network=dns' description: all dns entries: - 0.0.0.0/0 name: dns ports: - '53' protocols: - udp - tcp - associatedTags: - 'ext:network=any' description: ' any ip' entries: - 0.0.0.0/0 name: internet protocols: - tcp - udp - associatedTags: - 'ext:network=metadata' description: cloud metadata entries: - 169.254.169.254 name: metadata ports: - '80' - '443' networkaccesspolicies: - description: allow outbound cloud metadata logsEnabled: true name: cloud metadata object: - - 'ext:network=metadata' subject: - - project=companystore - description: ring fence policy encryptionEnabled: true logsEnabled: true name: company store object: - - project=companystore subject: - - project=companystore - description: allow dns name: dns object: - - 'ext:network=dns' subject: - - '\$identity=processingunit' - description: hipstershop logsEnabled: true name: frontend-inbound object: - - app=frontend subject: - - 'ext:network=any' - description: hipstershop logsEnabled: true name: outbound-allow object: - - 'ext:network=any' subject: - - app=emailservice identities: - externalnetwork - networkaccesspolicy label: Free Trial EOF
Skip to Reviewing the results.
Using the Aporeto web interface
Use the following command to download the
wget \ https://raw.githubusercontent.com/aporeto-inc/microservices-demo/master/release/ringfence.yaml
hipster-devnamespace in the Aporeto web interface, expand Data Management and select Import/Export.
Drag and drop the
ringfence.yamlfile into the Import window.
Select Import at the bottom to apply the configuration file.
Reviewing the results
hipster-devnamespace in the Aporeto web interface, expand Network Authorization and select External Networks to review the external networks you just created.
Expand Network Authorization and select Policies to review the policies. Expand the policy to understand it better. Click the Edit button to understand how network policies can be created from the web interface. Select Cancel to exit.
Do not modify any existing policies until you have finished the tutorial. If you modify any policies, repeat Importing the external network and network policy definition.
Go shopping in the hipster shop and make a fake purchase.
Disable Discovery Mode to enforce the policy that has been created.
Access the application again and confirm you can still shop now that the application is secured.
Select Platform. You will notice some red lines to
Somewhere. These lines represent unauthorized data exfiltration from your application, blocked by the network policy we just applied. Notice the connections from the fake attacker (an external source) have turned red, indicating the connections are blocked.
Click on any green line. Observe the allowed communication flows under Access and associated policy under Policies. Notice the lock icon on the green flows indicating that Aporeto has enabled mutual TLS encryption between the pods in the application.
- You have secured the Hipster Shop.
- You've blocked the attacking pod.
- No IP addresses were used to secure the application.
- The security applied is based on cryptographic identity.