There are two approaches to Microservices security
Keep the private microservices on an externally unroutable private shared sub-domain. Private services can only be accessed among themselves and from public microservices. Inbound security is implemented by adding a HAProxy acting as a layer 7 HTTP filter behind the public ELB. Egress security is configured with PCF Application security groups.
Leverage Spring-cloud-Zuul + spring-security-oauth2 to secure microservices reverse proxied by Zuul. The API calls proxied by Zuul are protected using the OAuth2 protocol. Zuul proxied APIs can be protected using any security mechanism - not just Spring-Security. Spring security makes it easier to protect resources with less boilerplate.
The software based approach is explained in