CoursesAdvanced cloud securityNetwork & data-plane security

Encryption in transit & service-mesh mTLS

TLS everywhere, mesh identity, and short-lived cert rotation.

Advanced30 min · lesson 6 of 15

Encrypting the edge and trusting the internal network is a decades-old habit that modern architectures cannot afford. Once an attacker is inside the perimeter, plaintext east-west traffic is theirs to read and tamper with. Encryption in transit everywhere — including service-to-service — plus mutual authentication is what actually enforces a zero-trust data plane.

TLS everywhere, including east-west

Terminating TLS at the load balancer and letting the internal hop run plaintext leaves every service-to-service call exposed inside the trust boundary. Push encryption all the way to the workload. A service mesh makes this practical: sidecar proxies transparently wrap every connection in TLS without changing application code, so even a flat internal network carries no cleartext traffic.

enforce strict mTLS in the mesh
# Istio: require mutual TLS for every workload in the namespace.
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: payments
spec:
mtls:
mode: STRICT # plaintext connections are refused, not just upgraded
# AuthorizationPolicy then decides WHICH identity may call — authn + authz:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata: { name: allow-checkout, namespace: payments }
spec:
selector: { matchLabels: { app: ledger } }
rules:
- from:
- source:
principals: ["cluster.local/ns/payments/sa/checkout"]

Identity-based mTLS and rotation

Mutual TLS means both ends present a certificate, so a service proves who it is, not merely that it is on the network. The strong version binds those certificates to a workload identity — a SPIFFE ID like spiffe://cluster.local/ns/payments/sa/checkout — issued by the mesh CA and rotated automatically on a short lifetime. Because certs are minted and rotated by the platform, there is no long-lived key to steal and no manual renewal to forget; a revoked or expired identity simply stops being able to connect.

mTLS between workloads via sidecars
1service A
plain HTTP to its own sidecar
2sidecar A
presents A identity cert
3sidecar B
verifies A, presents B cert (mutual)
4service B
receives verified, encrypted call
Both sides authenticate with short-lived, auto-rotated identity certs. The application code is unchanged; the mesh owns the crypto and rotation.
Edge-only TLS is a soft interior
If TLS stops at the load balancer, anyone who gains a foothold on the internal network — a compromised pod, a misrouted packet capture, a rogue sidecar — reads and modifies east-west traffic freely. Assume the internal network is hostile and encrypt service-to-service with mutual authentication; "internal" is not a security property.