Security Pattern Vocabulary
5 exercises — Practice vocabulary for security architecture patterns: API gateway authentication, secrets manager, vault pattern, defence in depth, and the DMZ.
0 / 5 completed
1 / 5
An architect says: "The API gateway handles authentication for all our microservices." A developer asks why this is done at the gateway level rather than in each service. Which explanation is correct?
The API gateway as authentication boundary is the "perimeter authentication" pattern — enforce identity at the entry point so internal services can focus on their business logic rather than security plumbing.
This pattern is part of the broader "API gateway" security pattern set: the gateway also handles rate limiting (preventing DDoS and abuse), TLS termination (so internal traffic can use lighter protocols), and request logging (centralised audit trail). The internal trust model is the key design decision: after the gateway authenticates the caller, do internal services trust the gateway's forwarded identity header (simpler, requires network-level controls), or does each service re-validate a token (stronger, works across trust domains)? Zero-trust architectures lean toward re-validation; traditional perimeter models lean toward internal trust. The architect's choice should be explicit and documented.
Key vocabulary:
• API gateway — an infrastructure component that handles cross-cutting concerns (authentication, rate limiting, routing) for API traffic
• perimeter authentication — validating identity at the network entry point before requests reach internal services
• zero trust — a security model where no internal network location is inherently trusted; every request is authenticated and authorised
This pattern is part of the broader "API gateway" security pattern set: the gateway also handles rate limiting (preventing DDoS and abuse), TLS termination (so internal traffic can use lighter protocols), and request logging (centralised audit trail). The internal trust model is the key design decision: after the gateway authenticates the caller, do internal services trust the gateway's forwarded identity header (simpler, requires network-level controls), or does each service re-validate a token (stronger, works across trust domains)? Zero-trust architectures lean toward re-validation; traditional perimeter models lean toward internal trust. The architect's choice should be explicit and documented.
Key vocabulary:
• API gateway — an infrastructure component that handles cross-cutting concerns (authentication, rate limiting, routing) for API traffic
• perimeter authentication — validating identity at the network entry point before requests reach internal services
• zero trust — a security model where no internal network location is inherently trusted; every request is authenticated and authorised