🛡️ Adaptive Zero Trust gRPC Gateway

An advanced network security architecture implementing a Zero Trust model for microservices communication.

This project demonstrates strict identity verification using Mutual TLS (mTLS) and Envoy Proxy as a secure sidecar gateway protecting a Node.js gRPC backend service.

Developed as a Proof of Concept (PoC) for Advanced Network Security Architecture.

---

🏗️ Architecture Overview

This system follows the "Assume Breach" philosophy.

The core backend service is completely isolated and cannot be accessed directly from the public network. Every request must pass through the Envoy Gateway, which enforces security policies at Layer 4 and Layer 7 before traffic reaches the application layer.

Request Flow

1. Client / Partner Application

   • Initiates a gRPC request
   • Sends a trusted digital certificate (client.crt)

2. Envoy Proxy (Zero Trust Gateway)

   • Terminates the mTLS connection
   • Validates client certificates against the trusted Root CA
   • Rejects unauthenticated traffic immediately during TLS handshake

3. gRPC Backend Server (Node.js)

   • Runs core business logic
   • Only accepts verified traffic forwarded internally by Envoy through Docker network isolation

---

🛠️ Technology Stack

Layer	Technology
Infrastructure	Docker & Docker Compose
Security Gateway	Envoy Proxy
Backend Service	Node.js + TypeScript
Communication Protocol	gRPC (HTTP/2 + Protocol Buffers)
Cryptography	OpenSSL (Custom Root CA & X.509 Certificates)

---

🚀 Getting Started

Prerequisites

Make sure the following tools are installed:

• Docker
• Docker Compose
• Node.js v20+
• npm
• OpenSSL

---

🔐 Step 1 — Generate mTLS Certificates

Security Note

Certificate files (.crt, .key) are intentionally excluded using .gitignore to prevent credential leakage.

You must generate your own local Certificate Authority (CA) and certificates before running the project.

cd certs

chmod +x generate.sh
./generate.sh

cd ..

---

🧱 Step 2 — Start the Zero Trust Gateway

Run Envoy Proxy and the isolated gRPC backend using Docker Compose.

docker-compose up --build -d

The gRPC backend runs internally on port 50051 and is NOT exposed to the host machine.

Only Envoy Gateway is publicly exposed on port 8080.

---

📦 Step 3 — Install Dependencies

Install required packages for the gRPC client testing script.

npm install

---

🧪 Step 4 — Test Authorized Access

Simulate a trusted partner application sending an authenticated request through the Zero Trust Gateway.

npx ts-node client/client.ts

Expected Output

🚀 Sending TransferFunds request via Zero Trust Gateway...

✅ SERVER RESPONSE:
{
  success: true,
  message: 'Transfer successfully verified by Core Banking System.',
  transaction_id: 'TXN-XXXXXX'
}

---

🛑 Demonstrating Zero Trust Enforcement

Attempting to access the gateway without a valid mTLS certificate will be rejected immediately by Envoy Proxy.

Example using cURL:

curl -v http://localhost:8080

Expected Result

Connection reset by peer

or

Connection refused

---

🔒 Security Features

• Mutual TLS (mTLS) authentication
• Zero Trust network enforcement
• Service isolation using Docker networks
• Certificate-based identity verification
• Envoy Layer 4 / Layer 7 traffic filtering
• Internal backend segmentation
• Unauthorized traffic rejection at handshake level

---

📁 Project Structure

.
├── certs/                 # Certificate Authority & generated certificates
├── client/                # gRPC testing client
├── envoy/                 # Envoy configuration
├── proto/                 # Protocol Buffer definitions
├── server/                # Node.js gRPC backend
├── docker-compose.yml
└── README.md

---

📝 License

This project is licensed under the MIT License.

Feel free to use, modify, and distribute for educational or research purposes.