Zero-trust managed security for services with Traffic Director
Stewart Reichling
Product Manager, Traffic Director
Anoosh Saboori
Group Product Management Lead
We created Traffic Director to bring to you a fully managed service mesh product that includes load balancing, traffic management and service discovery. And now, we’re happy to announce the availability of a fully-managed zero-trust security solution using Traffic Director with Google Kubernetes Engine (GKE) and Certificate Authority (CA) Service.
When platform administrators and security professionals think about modernizing their applications with a forward-looking security posture, they look for "zero-trust" security. This security posture is based on few fundamental blocks:
A means of allocating and asserting service identity (for example, using X.509 certificates)
Mutual authentication (mTLS) or server authentication (TLS)
Encryption for all traffic flows (TLS encryption)
Authorization checks and minimal privileges
Infrastructure to make all of the above manageable and reliable
Traffic Director does this by integrating with CA Service, a highly available private CA which issues private certificates expressing service identities, and provides a managed mTLS certificate infrastructure with full certificate lifecycle management. Together, these solve both certificate issuance and CA rotation complexities.
With Traffic Director managing your service-to-service security, you can now enjoy end-to-end encryption, service-level authentication and granular authorization policies for your service mesh.
With this new capability, you can now:
Implement mutual TLS (mTLS) and TLS between your services, including certificate lifecycle management. Communications within your mesh are authenticated and encrypted.
Enable identity-based authorization, as well as authorization based on other parameters (such as the request method). These concepts underpin role-based access controls (RBAC) and enable you to take a "least privileges" stance where only authorized services can communicate with each other based on ALLOW/DENY rules.
mTLS is supported whether you're using Envoy or proxyless gRPC for your service mesh. Authorization support for proxyless gRPC is coming later this year. Check out our documentation to learn more and get started with Envoy or proxyless gRPC.