NetworkmTLS (Mutual TLS) yêu cầu cả client và server present certificate, đảm bảo both-way authentication — cần thiết trong zero-trust microservice environments.
TLS thông thường: chỉ client verify server certificate (1-way TLS).
mTLS (Mutual TLS): cả server VÀ client đều present certificate và verify lẫn nhau — đảm bảo cả hai bên đều là ai nói là họ. Trong microservices: service A gọi service B, mTLS đảm bảo B chỉ accept request từ service được authorize và A biết đang nói chuyện với đúng B.
Tại sao cần mTLS trong microservices: zero-trust network — không trust bất kỳ internal traffic nào chỉ vì trong private network; ngăn rogue service impersonate service khác; service-level authentication (không phải user-level).
Implement: mỗi service có certificate issued bởi internal CA (Certificate Authority); Kubernetes SPIFFE/SPIRE tự động issue và rotate certificate cho workloads. Service mesh (Istio, Linkerd) implement mTLS tự động ở sidecar proxy level — developer không cần handle TLS trong application code.
Nhược điểm: certificate management phức tạp; performance overhead nhỏ hơn TLS do thêm certificate verification.
mTLS (Mutual TLS) requires both client and server to present a certificate, ensuring both-way authentication — essential in zero-trust microservice environments.
Standard TLS: only the client verifies the server's certificate (one-way TLS).
mTLS (Mutual TLS): both the server AND the client present a certificate and verify each other — ensuring both parties are who they claim to be. In microservices: when service A calls service B, mTLS ensures that B only accepts requests from authorized services, and A knows it is talking to the real B.
Why mTLS is needed in microservices: zero-trust networking — don't trust any internal traffic simply because it is on the private network; prevents a rogue service from impersonating another; enables service-level authentication (not user-level).
Implementation: each service has a certificate issued by an internal CA (Certificate Authority); Kubernetes SPIFFE/SPIRE automatically issues and rotates certificates for workloads. Service meshes (Istio, Linkerd) implement mTLS automatically at the sidecar proxy level — developers don't need to handle TLS in application code.
Drawbacks: certificate management is complex; slightly higher performance overhead than one-way TLS due to the additional certificate verification.