Prev Next

API / Microservices Design Patterns Interview Questions

What is the Mutual TLS (mTLS) pattern for service-to-service authentication?

Mutual TLS (mTLS) extends standard one-way TLS by requiring both sides of a connection to present and verify X.509 certificates. In a microservices context it provides two things simultaneously: an encrypted channel (confidentiality and integrity) and verified service identity (authentication) — without any application-level token or API key. The services prove who they are via their certificates, issued by a trusted internal Certificate Authority.

Standard TLS vs mTLS:

  • Standard (one-way) TLS — only the server presents a certificate. The client verifies the server's identity but the server does not verify the client. Used for browser-to-server HTTPS.
  • mTLS — both client and server present certificates. Each side verifies the other's certificate against a shared CA. This proves the client is a legitimate service instance, not just any caller that can reach the network.
# Istio PeerAuthentication — enforce STRICT mTLS in a namespace
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT     # reject any plaintext or one-way TLS traffic
---
# Istio automatically rotates certificates via its Citadel CA.
# Envoy sidecars handle the TLS handshake transparently.
# Application code sees plain HTTP internally — zero code changes.

In a service mesh (Istio, Linkerd), mTLS is fully transparent to application code: the sidecar proxy handles the TLS handshake using certificates provisioned by the control-plane CA. Certificates are short-lived (e.g., 24 hours) and rotated automatically, eliminating the risk of a compromised long-lived credential.

mTLS is the recommended pattern for east-west (service-to-service) authentication within a cluster. It replaces shared API keys and static secrets with cryptographic identity tied to a specific service workload.

How does mTLS differ from standard (one-way) TLS in terms of certificate presentation?
What Istio resource is used to enforce strict mTLS between all services in a namespace?

Invest now in Acorns!!! 🚀 Join Acorns and get your $5 bonus!

Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!

Earn passively and while sleeping

Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.

Invest now!!! Get Free equity stock (US, UK only)!

Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.

The Robinhood app makes it easy to trade stocks, crypto and more.

Webull! Receive free stock by signing up using the link: Webull signup.

More Related questions...

What is the Decompose by Business Capability pattern and how do you identify business capabilities? What is the Decompose by Subdomain pattern and how does it relate to DDD Bounded Contexts? What is the Strangler Fig pattern and when should you use it to migrate a monolith? What is the Anti-Corruption Layer (ACL) pattern in microservices? What is the Branch by Abstraction pattern for incremental migration? What is the Parallel Run pattern and how does it reduce migration risk? What is the Bulkhead decomposition pattern and how does it isolate failure domains? What is the Database per Service pattern and what problem does it solve? What is the Shared Database anti-pattern and why should it be avoided in microservices? What is the Saga pattern and how does it manage distributed transactions across microservices? What is the difference between Choreography-based and Orchestration-based Sagas? What is CQRS (Command Query Responsibility Segregation) and when should you use it? What is Event Sourcing and how does it complement CQRS? What is the API Composition pattern for querying data across services? What is the Outbox Pattern and how does it solve the dual-write problem? What is the Saga rollback / compensating transaction pattern? What is the API Gateway pattern and what responsibilities should it have versus a BFF? What is the Backend for Frontend (BFF) pattern and when does it replace a general API Gateway? What is the Service Mesh pattern and how do data-plane proxies such as Envoy implement it? What is the Message Broker pattern and how does it enable asynchronous microservice communication? What is the Request-Reply (Correlation ID) pattern for async messaging? What is the Idempotent Consumer pattern and why is it essential in event-driven systems? What is the Event-Driven Architecture pattern and how does it differ from synchronous request/response? What is Gateway Aggregation versus Gateway Routing versus Gateway Offloading? How does the Circuit Breaker pattern work and what are its three states? What is the Retry pattern with exponential backoff and jitter, and when should you NOT retry? What is the Timeout pattern and how does it prevent cascading failures? What is the Bulkhead pattern for resource isolation (thread pools, connection pools)? What is the Health Check API pattern and what should a /health endpoint return? What is the Rate Limiting pattern and what algorithms are commonly used? What is the Fallback pattern and how does it relate to the Circuit Breaker? What is the Throttling pattern and how does it differ from Rate Limiting? What is the Log Aggregation pattern and how does a centralised logging pipeline work? What is the Application Metrics pattern and what is the difference between push and pull metric collection? What is the Audit Logging pattern and what events should always be captured? What is the Distributed Tracing pattern and how do trace context headers propagate across services? What is the Access Token pattern (JWT/OAuth2) for service-to-client authentication? What is the Mutual TLS (mTLS) pattern for service-to-service authentication? What is the Secrets Management pattern and how do tools like Vault or AWS Secrets Manager implement it? What is the Sidecar pattern and what responsibilities does a sidecar container take on? What is the Ambassador pattern and how does it proxy outbound traffic for a service? What is the Adapter pattern in the context of microservice containers? What is the Canary Deployment pattern and how does it differ from Blue-Green deployment? What is the Service Registry and Discovery pattern — client-side versus server-side discovery? What is the Self Registration versus Third-Party Registration pattern for service discovery?
Show more question and Answers...

BigData

Comments & Discussions

Interviews Questions

About Javapedia.net

Javapedia.net is for Java and J2EE developers, technologist and college students who prepare of interview. Also this site includes many practical examples.

This site is developed using J2EE technologies by Steve Antony, a senior Developer/lead at one of the logistics based company.

contact: javatutorials2016[at]gmail[dot]com

Kindly consider donating for maintaining this website. Thanks.

Copyright © 2026, javapedia.net, all rights reserved. privacy policy.

DMCA.com Protection Status