In a Zero Trust architecture, we don't trust the internal network. Even if an attacker gets inside your VPC, they shouldn't be able to talk to your services. Mutual TLS (mTLS) ensures only verified services can communicate.
In normal TLS (HTTPS), the client verifies the server. In Mutual TLS, the server ALSO verifies the client. Every microservice has its own unique certificate signed by an internal Root Authority. If Service A doesn't have a valid cert, Service B will reject the connection at the network level.
Managing thousands of certificates manually is impossible. We use a **Service Mesh** (like Istio or Linkerd) to handle mTLS for us. It automatically issues, rotates, and verifies certificates for every pod in the cluster, ensuring all internal traffic is encrypted and authenticated with zero code changes.
Q: "Why use mTLS if my services are already behind a firewall?"
Architect Answer: "Firewalls have a 'Hard Shell, Soft Center' problem. If one service is compromised (e.g., through a dependency vulnerability), the attacker can 'Hop' to any other service on the network. mTLS provides **Micro-segmentation**. Even if an attacker controls Service A, they cannot call Service B because they lack the cryptographic certificate required by Service B."