Presented at InnoTech Austin 2017. All rights reserved.

1. µservices ARCHITECTURAL
Maturity Matrix, Token Based
Auth/z, API Gateway Mediation
{“quip”:“If I had more time I would have written less code.”}
iryanb@guarden.io
FOUNDER & CHIEF GUARDENER
GUARDEN.io
“Guard Roots Then Grow”
© 2017 Ryan Bagnulo All Rights Reserved guarden.io 1

2. µQA? Remember the VASA
(Virtualization As A Service)
The VASA took 2 years to build (1626 to 1628) at the
request of The King of Sweden Gustavus Adolphus
The ship was ordered to sail before proper QA testing
proved the ballasts seaworthy and that day Aug 10
1628 it capsized, sunk and 30 drowned
“Imprudence and negligence” was the King’s reply
when told of the 1400 yard catastrophic launch
witnessed by thousands of spectators
The King had approved all measurements and
armaments, and the ship was built according to the
instructions and loaded as specified. No-one was
punished or found guilty for negligence.
“Only God Knows” ~ Arendt de Groote
2© 2017 Ryan Bagnulo All Rights Reserved guarden.io

3. Docker now natively supports Kubernetes, be
aware that anonymous is enabled by default
starting in version 1.6+, read this https://
kubernetes.io/docs/admin/authentication/
#x509-client-certs
Beware of the side door that the kubelet opens
up with a built in http server on the container
processes, for example on port 10255/healthz
CONSIDER dedicated Bare Metal infrastructure
with minimal OS builds for ingress/egress
software virtualized API gateway facade
runtimes
Whilst containers speed deployment perhaps
they do NOT belong on shared infrastructure
for high risk use cases
Design a Balanced Architecture with Resiliency
prioritized above Time To Market
3© 2017 Ryan Bagnulo All Rights Reserved guarden.io

4. µservices ARCHITECTURE
Perhaps a few design JIRAs before pushing agile code during the next sprint
4© 2017 Ryan Bagnulo All Rights Reserved guarden.io

5. Does anyone remember SCA?
SCA > SOA
Services Component Architecture
How are microservices different from service
components?
Swagger JSON, no XML no WSDLs
A decade ago there was an Apache project
called Tuscany, a year ago Apache retired it to
the attic http://attic.apache.org/projects/
tuscany.html
Apache ServiceMix became JBOSS Fuse and Camel
blurred the lines between API Gateway and ESB
Apache however is keeping OSGi alive with Felix
5.6.8 (Aug 25 2017) & Jetty 3.4.4 (July 14 2017)
http://felix.apache.org/
5© 2017 Ryan Bagnulo All Rights Reserved guarden.io

6. WSDLs WADLed, now YAML Swaggers JSON
Yesterday’s Technology Today With Tomorrow’s Stacks
Servlets, CORBA ORBs, DCOM, EJBs, POJOs, Portlets, Widgets,
AJAX
Message Queues, Multicast Topics
WS-*, SOAP, XML, namespaces, XSLT
Basic Auth, SAML, XACML, LDAP, AD
REST API path & query parameters for GETs, moving apikeys
to client ids and OAUTH tokens to the Authorization header
OpenID Connect facades to LDAP AD, & JWT / JWE tokens
Containerized REST API operations with less code
interdependency and more declarative descriptor definitions
for greater messaging integration as µservices
Distributed Caching, AMQP, Kafka Topics, messaging service
meshes
6© 2017 Ryan Bagnulo All Rights Reserved guarden.io

7. µservices Complexity Matrix
READ ONLY GET Verbs that only serve relatively static (cacheable)
responses
WRITE ONCE POST Verbs that create objects synchronously
WRITE MANY PUT or DELETE Verbs that change or
remove data asynchronously
INTEGRATED GET Verbs that execute a transaction
synchronously or read from an IoT sensor or perform
an analog or digital write to an IoT device (light on/
off/luminosity, thermostat warmer/cooler, motor on/
off/velocity, haptic feedback devices such as wearables,
gaming controllers, car seats to wake the driver, etc…)
7© 2017 Ryan Bagnulo All Rights Reserved guarden.io

8. µservices Security Matrix
Basic Auth and API keys in query or path parameters deprecated
and replaced by BEARER Tokens for AUTHENTICATION
HMAC Tokens with a nonce and digital signature are used for
transactional API operations and tokens are issued with scopes
for course grained entitlement AUTHORIZATION
Mutual TLS is required to even request authorization code, token and to use
the API facade via the gateway, if JSON Web Tokens are used, then protect the
PII by using an encrypted JWE token
If the microservices application runtime tier does not
integrate using an internal API Gateway, ESB, or
asynchronous messaging subsystem with an integrated policy
enforcement point then “sidecars” should minimally only
accept connections from mutual TLS connections with
certificates and keys that are replaced with each build
deployment from QA to Production
8© 2017 Ryan Bagnulo All Rights Reserved guarden.io

9. µservices Mediation Matrix
VALIDATE INPUT: “Open APIs” accessible via shared public cloud
infrastructures minimally perform content type input validation for
path, query, header, and message scheme & fields
THROTTLE and FILTER: The mediation tier (API Gateway,
Sidecar, ESB) restricts request sizes (Kbytes per message, per
field), number of requests per minute, content types
302 TO A HONEYPOT: Either rejects or 302s malicious requests containing
well knowns patterns such as escape characters, SQL injections, to a
honeypot to build a blacklist of IP Addresses, Client IDs, User IDs, etc.
FILTER: To prevent accidental data breaches verify the data in the
response is of the expected type, size, and that the client requesting the
data is entitled to access the data using decorations on tokens such as an
account number, employee id, nonce
TRANSFORM: Normalize requests and responses with consistent field names
and data types as per Swagger documentation for each query, path, and
object and message body field
9© 2017 Ryan Bagnulo All Rights Reserved guarden.io

10. Pythagorean µService Maturity
Architectural Matrix
10
0
Squared = 9
Squared = 16
Squared = 25
3
4
5
API
DB
Dev
SIT UAT
QA
LIVE
LIVE 2
LIVE 1
SIT UAT QA
Development
0 is the SecDevOps System Management subsystem,
people and processes (ITIL, CMDB, Registry,
Repository, Logs, Telemetry, Reports, Build & Deploy
Tools & Honeypots)
1 was Alpha
2 was Beta
3 is for low risk read only GETs from APIs
integrating with a µS that may also be mediated with
a distributed object Cache or protocol / message
Transformation logic
4 is for GETs and POSTs, a messaging tier may also
be implemented for asynchronous PUT & DELETE
events and for large volumes of dynamic data, with
at least 2 LIVE sites geographically distributed for
increased resiliency and lower latency, the database
may be a RDBMS and/or a NoSQL distributed system
with a query router
5 is for GETs, POSTs, PUTs & DELETEs with increased
mediation for requests and responses, low latency
messaging, edge caching, and 3 or more LIVE sites
CT
µS
µS
µS
µS
µS
µS
µS
µS
µS
µS
µS
API DB
API
DB
CT
DB
µS
µSAPI
API
CT µS DB
API
API
API
DB
DB
DBCT
CT
CT
CT µS
Q
Q
Q
Q
Q
Q
Q
Q
DB
DB
DB
DB
CT
CT
CT
CT
API
API
API
API
CT
µS
µS
Q
SIT UAT QA
LIVE++
LIVE 1
LIVE 2
© 2017 Ryan Bagnulo All Rights Reserved guarden.io

11. API Gateway or Sidecar Proxy
DMZ or Message Queue / Topic
API Gateways vs the ESB vs
“service meshes” of sidecar
proxies
Are sidecars simply adding a
hop to publish to queues and to
subscribe to topics?
Are Sidecars destined to be
antiquated like agents or
bloated like buses with
features to transform protocols
(http/tls, protobufs, JMS, AMQP)
and to integrate with HSMs etc.
11© 2017 Ryan Bagnulo All Rights Reserved guarden.io

12. ”With µservices our performance has gone plaid”
~ said nobody
The speed of the edge of the network will always be out of your control
The speed of the core of the network will always be bound by physics and the race
condition of update, sign, verify, authenticate & authorize events
Mgmt µServices such as a lazy written logging tier will result in less CPU and IOPS
usage, improving performance and security compared to syslog to file then aggregation
Do the math, remember Little’s Law of Queueing Theory when sizing systems
Queue Length = Arrival rate * response time of Queue
Expected Peak Traffic = 10,000 Requests Per Second
Response Time SLA is 150 milliseconds per GET
10000 x 0.150 = a Queue Length of 1,500 Port 443 Socket Events
If 1 x 4 CPU Container with 4 GB of Memory supports 300 Concurrent Requests Per
Second
Then Each Production Site should have traffic load balanced to at least
1500/300 =
5 API Gateways integrating with 5 µservers
12© 2017 Ryan Bagnulo All Rights Reserved guarden.io

13. Legacy API Anti-patterns: The “REST mullet”
Virtual APIs for ACCEPT JSON client apps in
front of the gateway & with the gateway
mediating protocol and message
transformation to content type XML request
and or responses from SOAP services
The gateway may have custom policies written
in JS, XSLT, Python, Jython, Java, or
Freemarker to handle field level data
mappings and namespaces
Be Aware of ns=http://tempuri.org (FACEPALM)
Be Aware of SOAP 1.0 vs SOAP 1.1 ns prefixes
for inner elements
13© 2017 Ryan Bagnulo All Rights Reserved guarden.io
😱

14. JWT is not the logical replacement, albeit they are similar to
SAML with user data in XML attributes
Perhaps OAuth is appropriate, Bearer tokens < MAC tokens with
signatures and a NONCE
OpenID / Connect simplifies connectivity to the identity
provider and removes connection details and passwords from
code and config files
Legacy API Anti-patterns: the apikey query param, SAML, NTLM,
Kerberos, Basic Auth, LDAP, AD
14© 2017 Ryan Bagnulo All Rights Reserved guarden.io

15. Legacy API Anti-patterns: Yearly Pen Tests (Weak Shark Week)
Lesson Learned: Before a Jaguar Shark maybe hacks
your API there is usually a spike in traffic, often
the requests are unusual, for example a florescent
fish bot DDOS
Minimally look for the CWE Top 25 during the QA
code review and Test cases
The OWASP Top 10 are similar
And Truly, Do Stop checking in code to GitHub with
connection details and credentials to prod
subsystems in config files
Perhaps audit the key rotation credential refresh
people, process and tools quarterly so as to ensure
it is always expected, scheduled and made a
priority rather than a reaction to a surprise
15© 2017 Ryan Bagnulo All Rights Reserved guarden.io

16. Legacy API Anti-patterns: Inconsistent HTTP Response Codes
200 OK
201 PUT POST PATCH successful, resource(s) created. See
ETAG, Last-Modified Headers and message body with URI(s)
202 Asynchronous Request Accepted, contingent response.
204 No Content. Valid Request with an empty set response.
300 This is SPARTA!
302 FOUND, elsewhere. Redirect (perhaps per policy to honey)
401 Not Authenticated. (Either the client app or user)
403 Not Authorized. (Token with the wrong scope)
404 Resource not found.
418 This device is a tea kettle. Java not found.
500 Server Error. (Probably a Null Pointer Error, or
Connection Refused perhaps untrusted Mutual TLS client
certificate)
16
IoTea
TEA
© 2017 Ryan Bagnulo All Rights Reserved guarden.io

17. Mitigating IoT Controller APIs with
OAuth Entitlement Scopes
Private Tokens
Signed Nonced HMAC
Create New Devices
Update Device UUID
Delete Device
Show Local Devices
Claim Control of a Device
Get the IP Address of a Device
POST Data to a Device
17© 2017 Ryan Bagnulo All Rights Reserved guarden.io

18. Read Only IoT Sensor µservices
architectural patterns
Diamond Meshes (known for their heat conductivity, think
Thermostats) are the simplest and hence also the strongest building
blocks of µservices Meshes, for example streaming temperature
information and are distributed pervasively.
Graphite Meshes are very stable µservices distributed across
architectural layers with enclaves of sensors segmented on network
tiers: public edge, fog edge, fog core, private edge, private core
Lonsdaleite Meshes of µservices are integrated honeycombs of
Diamond Bots permitted to send and receive data to each other
across the layers of “Graphite” network enclaves, this is essentially
the suggestion regarding the use of sidecars instead of gateways,
ESBs, or messaging systems.
18© 2017 Ryan Bagnulo All Rights Reserved guarden.io

19. Transactional IoT µservices
architectural patterns
Buckminsterfullerene “Buckyball” meshes of µservices are
transactional bots that both sense analog and digital input, and
also react to analog write or digital write events to a connected
device. Each mesh is an autonomous disconnected caged enclave
in the fog tier segmented from the public cloud and the private
core networks.
Fullerite Buckyball meshes of µservices are built on solid state
technology and are designed to withstand the harshest physical
world conditions with automated node recovery and delegated
failover from node to node.
Rugbyball meshes of µservices are caged-fused rings of bots with
policy enforcement occurring within the cage and outside of the
cage.
19© 2017 Ryan Bagnulo All Rights Reserved guarden.io

20. Integrated IoT µservices
architectural patterns
Amorphous meshes of µservices are what happen
to ungoverned systems on public networks over
time, AKA a ‘Spaghetti MESSh’ that is impossible to
manage with chaotic bottlenecks and backdoors.
Integrated tubes of µservices connect
dimensions of big data globally with near real-
time latencies for the best performance
consistency, with the security and privacy of a
‘vacuum zone’ that also acts as a trap to
honeypot malicious activity.
20© 2017 Ryan Bagnulo All Rights Reserved guarden.io

21. “Everything should be as simple as possible, no simpler.”
Albert Einstein
21
µ
µ
µµµ
µ
µµ
µ
µ
µ µ
µ
µ
µ
µ
µ µµµ µ
µ µ
µ
µµµ µµµ
© 2017 Ryan Bagnulo All Rights Reserved guarden.io