Introduction

gRPC (gRPC Remote Procedure Call) is a protocol that is gaining a lot of traction in the microservices world and is becoming a popular alternative for developers to use instead of REST (representational state transfer). Many organizations are trying to adopt gRPC, and technology blog sites are abuzz with chatter about choosing between REST and gRPC APIs.

Recently, F5 Labs learned that a large organization had challenges with gRPC-enabled applications aligning to the Zero Trust security model, as many conventional security tools do not cover gRPC as a protocol. So, we at F5 Labs decided to write a demo gRPC application to boost understanding and to test some of the security controls. This article briefly introduces gRPC and shares details on setting up a vulnerable demo application.

What is gRPC?

A remote procedure call (RPC) is used by a program to call a subroutine that is available on another computer as though it were available locally. To support different kinds of clients, RPCs use an interface description language (IDL). gRPC is the latest iteration of RPC. It uses HTTP/2 for transport and Protocol Buffers (protobufs) (alternate data formats like JSON can be used) as the IDL. Protocol Buffers is a mechanism for serializing structured data useful for transmitting or storing. It produces compact binary messages.

The website grpc.io defines gRPC as a modern, open source remote procedure call framework that can run anywhere. It enables client–server applications to communicate transparently and makes it easier to build connected systems. It is a Cloud Native Computing Foundation (CNCF) project and is used by several organizations like Google, Netflix, Docker, and others.

The sample architecture in Figure 1 shows a cluster of gRPC servers communicating with a gRPC client.