HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework
Well-Architected Framework Home

Authenticate workloads with TLS

You should authenticate and identify your application workloads to ensure their integrity, security, and reliability. Without proper authentication or identification, your application workloads are less secure, more difficult to monitor and troubleshoot, and can also be at risk of noncompliance with regulations and standards (for example, GDPR, HIPAA, and PCI-DSS). Authenticating and identifying your application workloads has the following key benefits:

  • Optimize resources: manage resource allocation more efficiently by authenticating application workloads. For example, by authenticating workloads with TLS, network systems can shape traffic around authenticated and unauthenticated workloads for more efficient use of network resources. You can also configure load balancing and auto scaling solutions to prioritize TLS enabled applications.
  • Improve observability: gain deeper insights into applications and their behavior, performance, and resource usage by accurately identifying application workloads with each application's TLS certificate information.
  • Adhere to regulations or standards: authentication and identification provides a clear access audit trail to help ensure compliance.
  • Securely operate: prevent unauthorized access to data or resources.

Authenticate application workloads with Vault

Your application workloads can authenticate with Vault and use it as an identity provider with Vault Agent, the TLS certificate auth method, and response wrapping.

Authenticate applications with TLS certificates through Vault Agent
Authenticate applications with TLS certificates through Vault Agent
Authenticate applications with TLS certificates through Vault Agent

Vault's TLS certificate auth method allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed. Vault Agent is a client-side daemon that makes requests to Vault on behalf of a client application. This includes the authentication to Vault with TLS certificates through the Vault Auto-Auth cert method.

You can also use Vault Agent to template secrets with the Consul Template syntax, and render the secrets to files where the client application can use them. Vault Agent also has a process supervision feature to send commands or signals to services to reload or restart them after templated credential rotation.

HashiCorp resources:

Authenticate application workloads with Consul

You can implement a zero trust security model by authenticating and authorizing all service to service communications with Consul to mitigate unauthorized access and lateral movement within your network environments. Consul also enables fine grained access control between the services in your services mesh with intentions, which you can use to explicitly allow or deny traffic.

Authenticate services with Consul and TLS certificates
Authenticate services with Consul and TLS certificates
Authenticate services with Consul and TLS certificates

When you authenticate application workloads with Consul, you eliminate hard coded credentials and addresses. You also improve compliance through audit trails, monitoring, and centralized policy management. You can also define your policies as code, version control them, and quickly update policies as requirements change.

You can authenticate your application workloads on Consul with the following methods:

  • TLS certificates: Consul uses mTLS certificates for service mesh to identify application services.
  • JWT (with Vault): Consul can integrate with Vault to leverage JWT authentication for dynamic workload identities.

Keep in mind the following best practices when you authenticate your application workload with Consul:

  • Principle of least privilege: assign the minimal required capabilities and permissions to TLS certificates.
  • Secure storage: keep your certificates and tokens secure, ideally in a secrets management solution, like Vault.
  • Monitoring: enable logging and metrics to track authentication and authorization activities

HashiCorp resources:

External resources:

Next steps

In this section of Secure applications, you learned how the benefits of using TLS to authenticate your application workloads and how Vault and Consul can enable this use case. Authenticate workloads with TLS is part of the Secure systems pillar.

Edit this page on GitHub