Microservicesmedium

mTLS between services: what does it protect and what does it NOT protect?

Answer

mTLS encrypts traffic and authenticates both sides (service identity), which helps prevent impersonation and sniffing. It does NOT solve authorization by itself (what a service is allowed to do), and it doesn’t replace input validation or business-level security rules.

Advanced answer

Deep dive

Expanding on the short answer — what usually matters in practice:

Context (tags): microservices, security, mtls, service-to-service
Scaling: what scales horizontally vs vertically, where bottlenecks appear.
Reliability: retries/circuit breakers/idempotency, observability (logs/metrics/traces).
Evolution: keep changes cheap (boundaries, contracts, tests).
Explain the "why", not just the "what" (intuition + consequences).
Trade-offs: what you gain/lose (time, memory, complexity, risk).
Edge cases: empty inputs, large inputs, invalid inputs, concurrency.

Examples

A tiny example (an explanation template):

// Example: discuss trade-offs for "mtls-between-services:-what-does-it-protect-and-"
function explain() {
  // Start from the core idea:
  // mTLS encrypts traffic and authenticates both sides (service identity), which helps prevent
}

Common pitfalls

Too generic: no concrete trade-offs or examples.
Mixing average-case and worst-case (e.g., complexity).
Ignoring constraints: memory, concurrency, network/disk costs.

Interview follow-ups

When would you choose an alternative and why?
What production issues show up and how do you diagnose them?
How would you test edge cases?