Today, we are excited to announce the technical preview of Tetrate Application Gateway! We are creating this new product in response to a regular need expressed by platform teams:

“How can I provide a simple, secure, self-service process for my application owners to publish apps that spans multiple deployment environments, whether it’s Kubernetes clusters, VMs, clouds, on-prem, or all of the above?”

Platform teams face the challenge of balancing the self-service desire of application owners with a requirement to govern and control what apps may be published, further complicated by the number of infrastructure systems that must be coordinated for each change request.

At Tetrate, we have pioneered the use of Envoy to build large-scale platforms for some of the most demanding users. Our experience in building Envoy management and control planes with Envoy Gateway and Istio, while reconciling the needs of platform and application teams, has shown us a way forward to address this need.

Tetrate Application Gateway is the solution we present for modern platform teams operating multi-cloud, multi-cluster environments, and who need to provide a streamlined experience to their application owner users:

• Platform teams can deliver a superior, simple application owner experience
• Platform teams retain control, with automated approval processes, templates and guardrails
• Integrations with firewalls, load balancers and other devices are simple, with no need for per-application configurations

The net benefit is that your application teams will be more reactive and productive. Applications can be deployed to production and exposed in a matter of minutes, not days. Troubleshooting and performance analysis data is always available to support rapid problem resolution and maintain high availability.

Current Platform Practices

Why is rapid delivery of code to production such a challenge?

Platform teams need to manage and coordinate a complex network of application delivery, security and discovery tooling. They need to build their own automation to support tasks such as publishing an application. They must battle with tools with built-in assumptions (every workload has an IP address), inconsistent APIs (every tool has its own control plane), and varying observability standards.

As a result, the application publishing process they build is slow and disjointed, resulting in a poor experience for Application teams. Innovation and change is slowed, and responding to customer needs takes longer and is more costly.

For example:

• A large Fintech organization reports that it typically takes 1-2 weeks from sign-off (permission to publish) to publishing an application, requiring the coordination of multiple teams.
• A manufacturing organization reports that when they expose an application from an individual location (e.g. manufacturing plant), they need to coordinate over 200 firewalls and over 1m IP-based firewall rules, significantly impacting their speed of delivery
• Many Tetrate users report that their existing observability and troubleshooting workflows are disjointed as they need to collect and reconcile data across multiple different management planes and vendor-specific solutions, leading to poor MTTR (mean time to recovery) metrics

These examples can be viewed in the broader context of the Annual DORA State of DevOps report (co-authored with Google Cloud). The report surveys and classifies organizations into performance buckets, from ‘Elite’ to ‘Low’, based on metrics such as “Lead Time for Code Changes (that is, time from code commit to release in production)”:

In 2024, a staggering 60% of surveyed organizations (Medium and Low) took more than a week to push a code change to production. Only 19% (the ‘Elite’) were able to do so in less than 1 day.

The Idealized Application Delivery Architecture

An idealized application delivery platform brings together multiple vendor solutions, and is often presented in a linear fashion:

Even in this idealized architecture, the problems are apparent:

• Coordinating configuration for multiple devices across multiple teams (security, platform, secarch, etc)
• Uncertainty where certain solutions e.g. firewalls are complex to configure and are not service-aware (meaning the configuration is imprecise)
• Risk of impacting other applications running on the infrastructure, or opening security holes Lack of end-to-end automation, meaning ticket-based operations and manual configuration

A Realistic Application Delivery Architecture

In practice, the platform is far from linear:

• It scales horizontally as it spans multiple deployment environments across clouds and on-prem infrastructure
• It multiplies in complexity as it considers how to support multiple application types - containers, VMs, bare-metal, external services
• The perimeter is challenging to police, as the platform must cater for external users, partner applications, internal users and internal East/West traffic

Each dimension of scale multiplies the complexity:

• Multiple, uncontrolled Entry Points for different clients (internal, external, partner, mobile)
• Multiple deployment environments (cloud, on-prem, hybrid)
• Multiple Application Types (VM, Container, Serverless, Bare Metal, External Service,…)

… and each dimension brings additional requirements for segmentation and ownership.

The Result Is Expensive Complexity

Users we survey typically report symptoms such as:

• Slow Rate of Change: we see deployments taking upwards of 7 days
• Manual, Ticket-based Processes: automation does not cover everything, and checks and balances are needed
• Frustrating Decision Process: too many questions, imperfect answers, too much coordination required; frustrating for App Owners and Developers
• Inexact Security: despite the need for precise segmentation, security tools rely on IP addresses which identify environments, not workloads
• Fragile Configuration: massively-shared configuration using imprecise nouns means every change is fraught with danger

… all amplified by further by the needs for Segmentation, Application Mobility, HA/DR/Resilience, and Consistent Observability

Introducing Tetrate Application Gateway

Tetrate has over 6 years experience in building large-scale application platforms for demanding customers, using Envoy as the dataplane, and Istio as the control plane. We pioneered a two-tier architecture using Ingress (Tier 2) and Edge (Tier 1) gateways to get traffic securely into their platforms.

Infrastructure

Tetrate Application Gateway builds on that proven foundation. With Tetrate Application Gateway, the current ‘middle layer’ from Edge to Application can be replaced by a single solution with a single control and observability plane:

Tetrate Application Gateway can be deployed on top of the existing infrastructure, taking on the roles of firewalls, routers, api gateways and load balancers:

• Edge Load Balancer to publish apps securely for external access, providing a secure perimeter
• Internal, mesh routing based on service identity and mTLS provides security, segmentation and high-availability
• Transit Gateways to connect disconnected environments securely and easily
• App Gateways to expose services to the mesh, and provide the required API-Gateway and traffic management capabilities
• DNS Integration to coordinate DNS and GSLB configuration with application availability and health

Application Owner Experience

Contemporary infrastructure is invariably designed to meet the needs of the platform (infrastructure) owner. Tetrate Application Gateway takes a very different approach, delivering a streamlined application owner experience out-of-the-box.

Within the guardrails, defaults and approval checks defined by the platform owner, the application owner gets a fully-self- service pipeline to expose and publish services for internal and external audiences. The pipeline is driven by service annotations - a familiar and easy to integrate interface to the platform:

Tetrate Application Gateway monitors services for these intent-based annotations and synchronises infrastructure configuration to arrange that the intent is satisfied. Kubernetes-based services are easily discovered and exposed, and other service types (VMs, Bare-Metal, Serverless, external endpoints) can be quickly onboarded to the platform.

Bringing Together Platform Needs and Application Experience

With Tetrate Application Gateway, you will see:

• Clear demarcation between platform and application owner jobs-to-be-done
• Integrated security, routing, observability from Edge to Application
• Fine-grained and dynamic security, based on service identity (not IP address)
• Simple UX for application owner using pre-defined, declarative pipeline that can be tuned by Platform Owner
• Rich, native integration with modern cloud-native tooling (observability, DNS, etc)

Application teams will be more reactive and productive. Applications can be deployed to production and exposed in a matter of minutes, not days. Troubleshooting and performance analysis is built-in to the platform, so complex integrations are not required.

In Summary

Tetrate Application Gateway begins with a hosted management plane, making it very quick to stand up the solution and see initial benefits.

By enabling platform teams to provide safe, compliant workflows that allow application owners to publish and manage traffic to their applications, businesses can unlock greater agility and lower operational costs. This will allow them to respond to changing external requirements more quickly, and provide a much higher level of internal developer satisfaction.

Platform owners deploy edge gateways into locations of their choice. Edge Gateways serve as the initial ingress point into the infrastructure, and forward traffic to a secure, internal mesh. Edge Gateways can be integrated with common DNS providers, so that when a new service is exposed or is migrated, the correct DNS configuration is maintained at all times.

Application owners are given the ability to onboard applications from their deployment locations, expose these applications to the internal mesh, and then publish these applications through selected Edge Gateways. All activities are governed and limited by security and compliance policies defined by the platform owner. They publish applications, observe metrics and traces, and troubleshoot services using the rich User Interface, complete APIs, and powerful GitOps and Kubectl integrations.

Product status

Tetrate Application Gateway is available for demo and early customer evaluation. If you want to discuss how Tetrate can help your organization manage ingress traffic and deliver operational excellence, contact us to get started!