Simply put, you could associate each microservice with some API key (some random string in the env var). And accept requests only if the request's

Authorization

header contains the API key