Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOps Exchange London – Network Security at Monzo

Oliver Beattie
January 26, 2017
Technology
0
240

DevOps Exchange London – Network Security at Monzo

Oliver Beattie

January 26, 2017
Tweet

More Decks by Oliver Beattie

See All by Oliver Beattie
Anatomy of a Production Kubernetes Outage – Kubecon EU 2018
obeattie
4
4.5k
Building a Bank with Kubernetes – Kubecon 2016
obeattie
1
570
Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016
obeattie
10
47k

Other Decks in Technology

See All in Technology
Multitenant 23ai の全貌 - 機能・設計・実装・運用からマイクロサービスまで
oracle4engineer
PRO
2
160
こんなデータマートは嫌だ。どんな? / waiwai-data-meetup-202504
shuntak
2
490
Tokyo dbt Meetup #13 dbtと連携するBI製品&機能ざっくり紹介
sagara
0
310
SRE NEXT CfP チームが語る 聞きたくなるプロポーザルとは / Proposals by the SRE NEXT CfP Team that are sure to be accepted
chaspy
1
310
Road to SRE NEXT@仙台 IVRyの組織の形とSLO運用の現状
abnoumaru
1
450
問題解決に役立つ数理工学
recruitengineers
PRO
8
2.4k
SSH公開鍵認証による接続 / Connecting with SSH Public Key Authentication
kaityo256
PRO
2
250
お問い合わせ対応の改善取り組みとその進め方
masartz
1
580
OPENLOGI Company Profile for engineer
hr01
1
23k
Startups On Rails 2025 @ Tropical on Rails
irinanazarova
0
170
GitHub MCP Serverを使って Pull Requestを作る、レビューする
hiyokose
2
560
滑らかなユーザー体験も目指す注文管理のマイクロサービス化〜注文情報CSVダウンロード機能の事例〜
demaecan
0
130

Featured

See All Featured
It's Worth the Effort
3n
184
28k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.4k
Thoughts on Productivity
jonyablonski
69
4.5k
Building Adaptive Systems
keathley
41
2.5k
Bash Introduction
62gerente
611
210k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.4k
KATA
mclloyd
29
14k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
135
33k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.9k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.2k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k

Transcript

  1. Oliver Beattie @obeattie Head of Engineering, Monzo

  2. None
  3. None
  4. None
  5. None
  6. None

  7. Pre-application 9 months Application 6 months Mobilisation 4–8 months

  8. Isolation Authentication

  9. Isolation Authentication

  10. k8s-master Availability Zone A Availability Zone B Availability Zone C

    admin user data k8s-worker dmz

  11. k8s-master Availability Zone A Availability Zone B Availability Zone C

    k8s-worker dmz
  12. None
  13. None

  14. +

  15. apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: com.monzo.mastercard.proxy spec: podSelector: matchLabels:

    stage: prod routing-name: com.monzo.mastercard.proxy ingress: - from: - podSelector: matchLabels: stage: prod routing-name: com.monzo.mastercard.processor ports: - protocol: tcp port: 80

  16. “Cluster-aware” netfilter/iptables under the hood Filtering at “both ends” No

    control over egress Only understands TCP/UDP Proxies

  17. Isolation Authentication

  18. Host A Host B Service A linkerd Service B linkerd

  19. Host A Host B Service A linkerd Service B linkerd

  20. Host A Host B Service A linkerd Service B linkerd

    CA CA CA Vault

  21. Secret management Message signing Transaction authorisation Secure build Audit logging

    WAN tunnels

  22. IPSec StrongSwan (IPSec) Hardware VPN device Services Services Services AWS

    Co-location Third parties

  23. monzo.com/careers

  24. & Questions

  25. @obeattie