I have a bunch of microservices inside a VPC behind an ALB in AWS. They receive API requests from UI, hosted on CloudFront and make API calls internally.
Currently, authentication is enforced on ALB through OIDC for ALL API calls.
I am thinking to keep the auth for requests coming from UI, but not when it is coming from a MS to another MS. Since they are inside VPC, they are already protected.
Is it right ? If yes, how to achieve that ?