System architectures

The purpose of this article is to describe the differences between the components Airlock Gateway and Airlock Microgateway and how they can be combined for optimal synergy. The combination of both components allows different architectures which have their pros and cons. This article provides you with information to make a decision about which architecture is best for you.

Note that Airlock IAM is illustrated as a separate component outside Kubernetes to enhance clarity – this is not a requirement. Airlock IAM can also be deployed as a pod in Kubernetes and still serve both Airlock Gateway and Airlock Microgateway. However, with the focus on Airlock Microgateway, this aspect is not further discussed here.

Depending on your decision for the overall system architecture, an Airlock Gateway may or may not be positioned in front of the Kubernetes cluster. This manual focuses only on the deployment of Airlock Microgateway inside the Kubernetes cluster (e.g., deployment in OpenShift or Kubernetes, with or without service mesh, ...) and does not discuss the placement nor functionality of the Airlock Gateway. This has been done to simplify the manual and does not imply any additional meaning.

Characteristics of Gateway and Microgateway components

Both Airlock Gateway and Airlock Microgateway have distinct characteristics. One or the other may be preferable in different architectural environments. Consult the following table to find the best match for your project. Also, mind the section Data plane modes of Airlock Microgateway in this article.

Airlock Gateway

Airlock Microgateway

Architecture

  • Appliance with hardened OS
  • Secured container images and restricted permissions
    • Data plane mode
    • Sidecar
    • Kubernetes Gateway API

High Availability

  • Load balancing
  • Back-end failover
  • Self-healing nurses
  • External checks are possible

These functionalities are built-in, except for the external checks.

  • Load balancing
  • Failover to upstream service
  • Readiness and Liveness Probe endpoints

Kubernetes built-in functionalities are used. Microgateway supports the required integration.

Configuration interface

  • Graphical UI
  • Kubernetes CRs (Custom Resources)

Scriptable

  • Yes, through REST API.
  • Yes, with common Kubernetes tools.

GitOps friendly

  • Partly
  • A script to bootstrap the Gateway through REST API can be created and stored in Git.
  • Yes

Security model

  • Perimeter security
  • Zero Trust
  • Perimeter security with Kubernetes Gateway API

Configuration agility

  • Suited best to the following change frequencies:
  • moderate
  • infrequent
  • Suited for any change frequency:
  • frequent
  • moderate
  • infrequent

Airlock version

  • All web applications are protected with the same Airlock Gateway.

The same Airlock Gateway version is used for all web applications.

  • Data plane mode
  • Sidecar:
    Same version for web applications in the same namespace.
  • Kubernetes Gateway API:
    Web applications could share same Airlock Microgateway or use a dedicated version.

Bundle web application with Airlock

  • No

Because Airlock Gateway is shared, at least the Gateway version can not be bundled to a particular web application version.

  • Yes

Bundling a certain Airlock Microgateway configuration with a particular web application is possible.

Configuration maintained by

  • Security team
  • Security team
  • Project team
  • Developers

Shared responsibility.

Enforcing security settings
(baseline security)

  • Restricted access to configure Airlock Gateway
  • Policies for 3rd party tools like Open Policy Agent Gatekeeper, Kyverno or Kubewarden enforce certain Airlock Microgateway settings.
  • With RBAC in Kubernetes, access to certain CustomResources can be restricted.

The security team can enforce settings and control who has access to which Custom Resources in case different teams maintain the configuration.

Security know how

  • Centralized in the security team.

Depending on team responsibilities and processes the security policies can be configured in a centralized or decentralized way (or even a mix of it).
Based on that, the required know how must be present in those teams:

  • Centralized in the security team.
  • Decentralized in many teams.

Must likely the security team is still responsible for the overall security, also if the policies are configured decentralized in the teams. But in such case security know-how must also be present in other teams as well. The security team enables them with templates, guidelines and education.

Processes

 

  • Ticketing
  • Maintenance Windows
  • DevSecOps
  • Shift Left

Data plane modes of Airlock Microgateway

Airlock Microgateway can be deployed in two data plane modes: sidecar to extend an application Pod with security or sidecarless with the Kubernetes Gateway API.
The following comparison chart lists the important differences between both data plane modes and can be used as a decision helper to select the best matching mode for your requirements:

Data plane mode:

Sidecar

Sidecarless with K8s Gateway API

Total resource consumption (CPU/Memory)

Low

Even lower

3rd party solutions licensing number of containers (e.g. DataDog)

Higher 3rd party license costs.

Lower 3rd party license costs.

Airlock Microgateway CNI plugin

Required

Not required

Supported service mesh compatibility

Istio and Cilium

No special compatibility requirements.

Update Microgateway Engine

Rollover of the application Pod.

Rollover of Microgateway​ (no impact on the application).

Traffic filtering with Airlock Microgateway

Automatically in-line​ (traffic is redirected first to Microgateway).

Filtering ensured with routing and network policies in Kubernetes.

Protected web application

Runs inside of Kubernetes.

Runs inside or outside of Kubernetes.

North-South traffic

Yes, for the protected Pod.

Yes

East-West traffic

Yes

Yes, by routing the traffic accordingly.

Which architecture should I use?

Depending on your needs, a particular architecture blueprint will be best suited for you. The table below provides some arguments for the different architectures and should assist you in the decision-making process.
For simplicity, drawings showing the Airlock Microgateway only show the sidecar-based data plane mode.

Architecture A

Architecture B

Architecture C

Architecture D

Architecture A
Architecture B
Architecture C
Architecture D

Applicable Airlock Microgateway data plane modes

  • Not applicable
  • Sidecar
  • K8s Gateway API
  • K8s Gateway API
  • Sidecar
  • K8s Gateway API

Strengths of the different architectures

  • No or not much Kubernetes workload.
  • Requires not much Kubernetes know-how.
  • Classic workloads must be protected.
  • Security policies should be created and maintained by a single team (no shared responsibility).
  • No need for Zero Trust architecture.
  • Perimeter to secure any enterprise workload.
  • Classic workloads must be protected.
  • Kubernetes workloads must be protected.
  • Establishes DevSecOps principles with shared responsibility for Kubernetes workload.
  • Zero Trust architecture for microservices.
  • Short development lifecycle for Kubernetes workload. Therefore the need to bundle the security policies with the web application.
  • No need for a classic perimeter.
  • Single solution to protect classic and Kubernetes workloads.
  • Establishes DevSecOps principles with shared responsibility.
  • Zero Trust architecture. This requires descrete Airlock Microgateways per web application.
  • Short development lifecycle and therefore the need to bundle the security policies with the web application.
  • No need for a classic perimeter.
  • No classic workloads to protect.
  • Kubernetes workloads must be protected.
  • Establishes DevSecOps principles with shared responsibility.
  • Zero Trust architecture.
  • Short development lifecycle and therefore the need to bundle the security policies with the web application.

Baseline vs. fine-grained security

The idea of baseline security is to have a basic set of general security settings enforced for all web applications. These settings should be generic and have a long lifecycle, i.e., they will not change much when upgrading applications. An example of a baseline security setting is the public TLS cipher configuration.

Fine-grained security settings, however, are tightly coupled to a specific web application and enable strict security policies. These settings bring in-depth security and protect the web application from serious attacks. They are usually specific to a web application and may therefore change with new application versions. An example of a fine-grained security setting is an OpenAPI specification for API calls.

It is not recommended to expose web applications to the Internet only with baseline security applied.

Depending on which architecture you have chosen, the baseline security settings are configured in different components. If Airlock Gateway is in front of the Kubernetes cluster, it takes care of baseline security. It has the advantage that, since only the security team can modify the configuration, these settings are easily enforced.
If no Airlock Gateway is installed in front of the Kubernetes cluster, baseline security will also be handled by the Airlock Microgateway. Enforcement requires correct use and setup of Kubernetes tooling (see Enforce policies).

The list below provides some hints on what kind of setting is more part of baseline or fine-grained security.

  • Baseline security
  • TLS ciphers and protocols
  • TLS certificates (public facing)
  • Allow rules:
    • Allow traffic only from certain IP networks.
    • Allow only the standard HTTP methods.
  • Deny rules:
    • Rules with low false-positive rates.
    • Deny rule for current vulnerabilities (e.g. Log4Shell).
    • Prevent admin interfaces being exposed.
  • Security headers (HSTS, X-Frame-Options, ...)
  • Enforce authentication:
    • Allow only authenticated users to send requests to the protected services.
      (if a Gateway is in front of a Microgateway, the Microgateway will re-evaluate if the user is authorized).
  • Geolocation blocking
  • Threat Intelligence
  • Anomaly Shield (machine learning)
  • Malware scanning
  • Attach co-browsing solution
  • ...
  • Fine-grained security
  • OpenAPI specifications
  • GraphQL Schema validation
  • TLS ciphers and protocols (for service-to-service communication)
  • Deny rules and their exceptions:
    • Strict rules
    • Handle possible false-positives with application-specific exceptions.
  • Security headers (application-specific like CSP)
  • Verification of authentication tokens
  • ...