For my pet project I've decided on a services based architecture (yeah the buzzword SOA) because I can scale each service independent of others, distribute them geographically where they will be used more than other services, etc.
The trick is that some of the services need to communicate privately with each other (and publicly with end-users). These services will be located in distinct data centers without any built-in private pipe between them (I think SoftLayer has such).
I care little if the communication is a little slow due to encryption. I mostly care about MITM attacks and eavesdropping. That is, I want the services to be confident that they are talking with a friend service and not some impostor.
The options for such inter-service communication as I see them are:
- HTTP with TLS
- TCP/IP (some custom protocol) with TLS
- Spread Toolkit (not sure about encryption here)
- HTTP or custom TCP/IP over SSH tunnel
- create a VPN between the data centers
- client certificates? mutual verification of certificates?
Clearly I've a lot of mumbo jumbo in my head. Help!
What do you think? Have you done this previously? What are your experiences? What "works well"?
If you choose VPN, which VPN system do you recommend? OpenVPN? How are temporary network partitions handled with such VPN systems? Do they auto-heal/reconnect?
I suppose the VPN solution will encrypt all connections but I just want some connections to be encrypted. Perhaps a SSH tunnel is in order then.
Thanks for your advice.