Microsegmentation, which groups network entities into segments and applies security policies to control traffic, is a perfect fit for securing microservices architectures. It allows for network-independent security policies to be defined and centrally managed at a fine-grained level, enabling policies to adapt to the dynamic and elastic nature of microservices. Major networking and security platforms like VMware NSX, Cisco ACI, and Docker's libnetwork support microsegmentation capabilities that are well-suited for microservices security through isolation, segmentation, and distributed policy enforcement.

1. Microsegmentation – a
perfect fit for
Microservices security
Anthony Chow
@vCloudernBeer
http://cloudn1n3.blogspot.com
VMworld 2015 vBrownBag TechTalk

2. What is Microservices?
 It is an architecture for application
deployment
 Monolithic -> small and autonomous
 Deployed as separate service/entity
 Communicate via network calls
 A new trend to deploy application
 Agile
 Scalable
 High Availability

3. Monolithic vs Microservices (Star Wars
version)

4. Microservices companion
technologies
 DevOps – share same idea with
Microservices
 Agile
 Scalable

5. Microservices companion
technologies
 Docker – enables streamlined
Microservices architecture
 Minimum overhead
 Quick provisioning

6. Cloud Native Application
 Microservices part of the equation
along with DevOps and Linux
Containers for building Cloud Native
Application
 Application that takes full advantage of
the cloud platform.
 Agile
 Scalable
 High Availability
 Not a “One Size fit All” solution

7. Microservices – opens up
security risk
 Frequent and short life span
 Increase east-west traffic
 Services are not as isolated

8. What is Microsegmentation?
 A security feature
 Group entities within a network into one unit
and to apply rules/polices to control the traffic
in and out of the segment.
 Concept is not new
 Miro level not feasible to implement before
network virtualization
 Supporting principles
 Apply security policy to the smallest
granular level
 Zero trust security model

9. Major component for effective
Microsegmentation
 From an article by Scott Lowe
 Network independent policy definition
 Centralized policy repository
 Distributed policy enforcement

10. How does Microsegmentation fit
into Microservices security?
 Network independent definition
 Security rule tailor to Microservices
 Centralized policy repository and
distributed enforcement
 Able to adapt to dynamic and elastic
nature of Microservices

11. VMware - NSX
 An networking and security solution
 Security is supported inherently by its
architecture/design:
 Isolation
 Segmentation
 Segmentation with Advanced Services

15. Cisco – ACI (Application Centric
Infrastructure)
 Policy definition separating segments
from the broadcast domain
 “tags” or “attributes” that identify an
endpoint regardless of its IP address
 End-point Groups as
Microsegmenations

17. A new chapter in Docker
networking - libnetwork
 Still under development
◦ Docker 1.7 (libnetwork rev 0.3)
◦ Docker 1.8 (libnetwork rev 1.0)
 Container Network Model
 A plugin model – able to take
advantage 3rd party well developed
networking and security infrastructure.

18. libnetwork- a pluggable
interface
 Container Network Model (CNM)
 Sandbox
 Endpoint
 Network