[BillinghamJ]

That assumes you have complete trust and confidence in the integrity and security of every single process running within your internal network.

I personally prefer to maintain a "need to know" approach to communication between all systems on my network (including services, databases, infrastructure).

This means that, for example, if my public-facing vehicle lookup service is compromised, my users' data is still a long way away. This is enforced by: (1) not providing an address to the service, (2) not providing the keys/passwords required to authenticate with the service.

Not doing authorization internally means that the moment a single process running on your network is compromised (which almost certainly is possible), your attacker now has access to the entirety of your system, and you're fucked.

Also, the overheads can be extremely low - to the point that they're not noticeable. It just depends how you do it.