Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOps Exchange London – Network Security at Monzo

Oliver Beattie
January 26, 2017
Technology
0
240

DevOps Exchange London – Network Security at Monzo

Oliver Beattie

January 26, 2017
Tweet

More Decks by Oliver Beattie

See All by Oliver Beattie
Anatomy of a Production Kubernetes Outage – Kubecon EU 2018
obeattie
4
4.5k
Building a Bank with Kubernetes – Kubecon 2016
obeattie
1
570
Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016
obeattie
10
47k

Other Decks in Technology

See All in Technology
エンジニアの育成を支える爆速フィードバック文化
sansantech
PRO
3
1.1k
SA Night #2 FinatextのSA思想/SA Night #2 Finatext session
satoshiimai
1
140
2.5Dモデルのすべて
yu4u
2
880
Tech Blogを書きやすい環境づくり
lycorptech_jp
PRO
1
240
ビジネスモデリング道場 目的と背景
masuda220
PRO
9
550
スタートアップ1人目QAエンジニアが QAチームを立ち上げ、“個”からチーム、 そして“組織”に成長するまで / How to set up QA team at reiwatravel
mii3king
2
1.5k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
3
1k
OpenID Connect for Identity Assurance の概要と翻訳版のご紹介 / 20250219-BizDay17-OIDC4IDA-Intro
oidfj
0
280
トラシューアニマルになろう ~開発者だからこそできる、安定したサービス作りの秘訣~
jacopen
2
2k
プロセス改善による品質向上事例
tomasagi
2
2.6k
Larkご案内資料
customercloud
PRO
0
650
白金鉱業Meetup Vol.17_あるデータサイエンティストのデータマネジメントとの向き合い方
brainpadpr
6
760

Featured

See All Featured
Facilitating Awesome Meetings
lara
52
6.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
Typedesign – Prime Four
hannesfritz
40
2.5k
A designer walks into a library…
pauljervisheath
205
24k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
Unsuck your backbone
ammeep
669
57k
Faster Mobile Websites
deanohume
306
31k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
6
240
The Invisible Side of Design
smashingmag
299
50k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
YesSQL, Process and Tooling at Scale
rocio
172
14k

Transcript

  1. Oliver Beattie @obeattie Head of Engineering, Monzo

  2. None
  3. None
  4. None
  5. None
  6. None

  7. Pre-application 9 months Application 6 months Mobilisation 4–8 months

  8. Isolation Authentication

  9. Isolation Authentication

  10. k8s-master Availability Zone A Availability Zone B Availability Zone C

    admin user data k8s-worker dmz

  11. k8s-master Availability Zone A Availability Zone B Availability Zone C

    k8s-worker dmz
  12. None
  13. None

  14. +

  15. apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: com.monzo.mastercard.proxy spec: podSelector: matchLabels:

    stage: prod routing-name: com.monzo.mastercard.proxy ingress: - from: - podSelector: matchLabels: stage: prod routing-name: com.monzo.mastercard.processor ports: - protocol: tcp port: 80

  16. “Cluster-aware” netfilter/iptables under the hood Filtering at “both ends” No

    control over egress Only understands TCP/UDP Proxies

  17. Isolation Authentication

  18. Host A Host B Service A linkerd Service B linkerd

  19. Host A Host B Service A linkerd Service B linkerd

  20. Host A Host B Service A linkerd Service B linkerd

    CA CA CA Vault

  21. Secret management Message signing Transaction authorisation Secure build Audit logging

    WAN tunnels

  22. IPSec StrongSwan (IPSec) Hardware VPN device Services Services Services AWS

    Co-location Third parties

  23. monzo.com/careers

  24. & Questions

  25. @obeattie