Thought Machine is a startup financial technology company in the UK, building a next-generation core banking platform from the ground up, with a microservice architecture running in Kubernetes on Amazon Web Services (AWS) infrastructure.
When it came to securing the network connectivity between their microservices, they turned to Tigera’s Calico technology.
As Fabian Siddiqi, engineering director at Thought Machine, explains:
By default, all pods on a cluster can talk to each other. This raises some security concerns; for example, we might want to limit public egress network traffic of all pods (except for edge pods or web servers), or isolate highly sensitive pods from the rest of the cluster. We can solve this problem by using Network Policies. Calico runs in parallel with Flannel, and allows us to specify network policies to limit network traffic between different pods. These network policies are based on high-level constructs such as pod labels, which means that product teams can write their own policies using the same language they use to write deployment files. Calico runs as a privileged container, listening to changes in network policies and rewriting iptable rules to enforce them (in practice, we’ve seen updates being applied very quickly, in the order of 1 or 2 seconds).
For the full details of how Thought Machine has built a modern, secure banking application with Kubernetes and Tigera Calico on AWS, read the original blog post.