A better future for securing micro-services

The Project Calico development team was out in force at CoreOS Fest meeting a ton of great people and listening to some very interesting talks.  In case you missed it, I gave a talk called “Securing Micro-services with a Distributed Firewall,” which includes a demo of Kubernetes with Calico providing per-pod network security.  Take a look at the embedded video for the entire talk (part of a YouTube playlist of all the CoreOS Fest talks, which I highly recommend)!

I explain how n-tier (e.g. presentation, application, and data) network security architectures fail to meet the demands of micro-service architectures.

  • Micro-services give developers flexibility and agility, which means increased rate of change to network requirements.  Having operatives manually update firewall rules doesn’t scale.
  • A central assumption in modern orchestration systems like Kubernetes or Mesosphere DCOS is that the data center is an undifferentiated pool of resources.  Carving out network tiers breaks that assumption.

We can foresee a better future where instead of dividing an application into arbitrary tiers and securing the border of those tiers, we can directly secure each instance of each micro-service.  Project Calico delivers that per-workload network isolation by distributing the network firewall to every host in your data center, automatically handling updates to network topology (e.g. from autoscaling).

Join our mailing list

Get updates on blog posts, new releases and more!