That assumes you have complete trust and confidence in the integrity and security of every single process running within your internal network.
I personally prefer to maintain a "need to know" approach to communication between all systems on my network (including services, databases, infrastructure).
This means that, for example, if my public-facing vehicle lookup service is compromised, my users' data is still a long way away. This is enforced by: (1) not providing an address to the service, (2) not providing the keys/passwords required to authenticate with the service.
Not doing authorization internally means that the moment a single process running on your network is compromised (which almost certainly is possible), your attacker now has access to the entirety of your system, and you're fucked.
Also, the overheads can be extremely low - to the point that they're not noticeable. It just depends how you do it.
For interservice calls a firewall is much more secure than any auth system, way less vectors of attack. Encrypted transport on public networks should be a given anyway, although if you have a private network then that is unnecessary also.
The only place auth is needed is for services that interact with users, and that works well in the microservice philosophy having an auth service which talks to all services as in user <-> service <-> auth
You can scale the auth system indirectly to the other services, and since auth is required almost everywhere means that you'll have a large part of your resources devoted to that.
Where it gets interesting is when you use external microservices for auth like stormpath - is it a good idea to talk to that directly, or use a mediation auth service of your own - I usually prefer the 2nd method since while there is an extra hop - it makes the api more static and allows you to swap out what your app uses for auth much more easily.
Given what we now know post Snowden, it's certainly advisable to encrypt internal transports whenever possible.
As an additional example, lots of people tend to mistake MPLS as being encrypted as opposed to just being a private network so it's definitely advisable to make sure traffic is encrypted whenever possible inside or out.
I personally prefer to maintain a "need to know" approach to communication between all systems on my network (including services, databases, infrastructure).
This means that, for example, if my public-facing vehicle lookup service is compromised, my users' data is still a long way away. This is enforced by: (1) not providing an address to the service, (2) not providing the keys/passwords required to authenticate with the service.
Not doing authorization internally means that the moment a single process running on your network is compromised (which almost certainly is possible), your attacker now has access to the entirety of your system, and you're fucked.
Also, the overheads can be extremely low - to the point that they're not noticeable. It just depends how you do it.