Microservices Mesh
Architecture
Implement secure microservices communication with dedicated security groups:
- Per-service security groups defining allowed ingress
- Self-referencing rules for service replicas
- Explicit service dependencies as egress rules
When to Use
- Kubernetes or ECS-based microservices
- Service mesh deployments
- Event-driven architectures
- API gateway patterns
Implementation Pattern
# API Gateway service
module "gateway_sg" {
source = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
version = "1.2.0"
name = "api-gateway"
vpc_id = module.vpc.vpc_id
ingress_rules = [
{
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "Public HTTPS"
}
]
egress_rules = [
{
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [
module.user_service_sg.security_group_id,
module.order_service_sg.security_group_id,
module.product_service_sg.security_group_id
]
description = "Route to backend services"
}
]
}
# User service with self-referencing for clustering
module "user_service_sg" {
source = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
version = "1.2.0"
name = "user-service"
vpc_id = module.vpc.vpc_id
ingress_rules = [
{
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [module.gateway_sg.security_group_id]
description = "API from gateway"
},
{
from_port = 7946
to_port = 7946
protocol = "tcp"
self = true
description = "Cluster gossip between replicas"
}
]
egress_rules = [
{
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [module.user_db_sg.security_group_id]
description = "User database"
},
{
from_port = 6379
to_port = 6379
protocol = "tcp"
security_groups = [module.cache_sg.security_group_id]
description = "Session cache"
}
]
}
# Order service calling other services
module "order_service_sg" {
source = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
version = "1.2.0"
name = "order-service"
vpc_id = module.vpc.vpc_id
ingress_rules = [
{
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [module.gateway_sg.security_group_id]
description = "API from gateway"
}
]
egress_rules = [
{
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [
module.user_service_sg.security_group_id,
module.product_service_sg.security_group_id,
module.payment_service_sg.security_group_id
]
description = "Call dependent services"
},
{
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [module.order_db_sg.security_group_id]
description = "Order database"
},
{
from_port = 9092
to_port = 9092
protocol = "tcp"
security_groups = [module.kafka_sg.security_group_id]
description = "Event publishing to Kafka"
}
]
}
# Product service
module "product_service_sg" {
source = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
version = "1.2.0"
name = "product-service"
vpc_id = module.vpc.vpc_id
ingress_rules = [
{
from_port = 8080
to_port = 8080
protocol = "tcp"
security_groups = [
module.gateway_sg.security_group_id,
module.order_service_sg.security_group_id
]
description = "API from gateway and order service"
}
]
egress_rules = [
{
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [module.product_db_sg.security_group_id]
description = "Product database"
}
]
}
Benefits
- Explicit service dependency graph in infrastructure code
- Self-documenting network topology
- Easy to audit service-to-service communication