For interservice calls a firewall is much more secure than any auth system, way less vectors of attack. Encrypted transport on public networks should be a given anyway, although if you have a private network then that is unnecessary also.
The only place auth is needed is for services that interact with users, and that works well in the microservice philosophy having an auth service which talks to all services as in user <-> service <-> auth
You can scale the auth system indirectly to the other services, and since auth is required almost everywhere means that you'll have a large part of your resources devoted to that.
Where it gets interesting is when you use external microservices for auth like stormpath - is it a good idea to talk to that directly, or use a mediation auth service of your own - I usually prefer the 2nd method since while there is an extra hop - it makes the api more static and allows you to swap out what your app uses for auth much more easily.
Given what we now know post Snowden, it's certainly advisable to encrypt internal transports whenever possible.
As an additional example, lots of people tend to mistake MPLS as being encrypted as opposed to just being a private network so it's definitely advisable to make sure traffic is encrypted whenever possible inside or out.
The only place auth is needed is for services that interact with users, and that works well in the microservice philosophy having an auth service which talks to all services as in user <-> service <-> auth
You can scale the auth system indirectly to the other services, and since auth is required almost everywhere means that you'll have a large part of your resources devoted to that.
Where it gets interesting is when you use external microservices for auth like stormpath - is it a good idea to talk to that directly, or use a mediation auth service of your own - I usually prefer the 2nd method since while there is an extra hop - it makes the api more static and allows you to swap out what your app uses for auth much more easily.