The Fast Track to a Secure and Resilient Service Mesh on Amazon EKS: Tetrate Service Express Is GA!

Today we are excited to announce that Tetrate Service Express (TSE), the only EKS-native service mesh that provides workload security and high-availability with Istio and Envoy, is now generally available! You can get TSE directly on AWS container marketplace today.

Whether you are new or a veteran to service mesh, the important idea is that TSE makes mTLS and service failover across AWS regions easy, AND it makes Day 2 operations of EKS workloads much easier. TSE is fast to install, pre-built with native AWS service integrations, and built on top of proven technologies used by the largest financial institutions in the world.

If your team is experimenting with service mesh on AWS, and you need to quickly prove the ROI without mastering complex Istio, Envoy, and AWS primitives, TSE is meant for you! If your team already has a service mesh on a single cluster, but want to extend your mesh to multiple clusters or even regions, TSE can help also. In fact, TSE is the only offering based on open source software and optimized for AWS, pre-integrated with the most popular AWS services to get you up and running in minutes. 

If you want to get started right away, watch the intro video and sign up for a free evaluation copy.

If you want to learn more about how Tetrate Service Express works, read on.

Tetrate Service Express Solves Common Problems in Amazon EKS

During the tech preview, we’ve worked closely with customers to understand how they are getting value from TSE. We see three common use cases that most teams running EKS can benefit from:

Use case #1: Maintain service availability automatically, even in the event of a region failure:

Operational concerns and unscheduled downtime mean that region availability can never be completely assured. TSE operates Amazon Route53 DNS on your behalf, so when your developers deploy services in two or more regions, TSE will automatically ensure user requests are directed to available regions.

Availability of internal services is also a concern, and TSE manages service discovery and routing on behalf of your apps. If a local service instance fails, client requests are automatically routed to a nearby instance in another region.

Use case #2: Implement a secure, auditable, Zero Trust-based production environment:

Zero Trust security is a sound security principle to follow, but successful implementation is fraught with complexities. Whether you operate a single cluster, or multiple regions, TSE enables you to define secure environments to deploy applications.

Partition your compute platforms into small, trusted “workspaces,” aligning with Kubernetes namespaces for ease of operations and spanning clusters when needed. Protect workspaces with ingress and cross-workspace rules to control traffic. Precisely define entry and exit points for services. Require authentication and manage mTLS with TSE and optionally AWS Private CA.

Use case #3: Extend AWS-native tools and improve developer velocity:

New platform tools can significantly reduce developer velocity, by requiring re-tooling, new APIs while offering limited integrations.

TSE addresses this challenge head-on with a clear separation of concerns between the platform operator and the service owner/developer. Whereas the platform operator defines advanced routing, security, availability, and observability policies using TSE APIs, the developer experience remains unchanged. TSE applies mTLS, security, service discovery, failover, and cross-cluster policies transparently to the apps and services.

Built on Istio with many pre-built integrations with AWS services, TSE integrates with Amazon Managed Grafana and other observability tools to avoid any disruption and retooling, and to provide rich application feedback to service owners.

These use cases are very common for teams starting to scale EKS, either because the business requires them to expand beyond a single region, or they are seeing increasing demand for EKS internally.

Let’s take a closer look at how TSE works.

From Zero to App in 2 Hours

Running TSE does not require any expertise in Istio or Envoy, and can be easily deployed by anyone with good AWS experience. Our design goal is to get a typical user to app deploy in a matter of hours. Beyond the initial installation and onboarding, achieving additional security and resiliency measures should take only a few more steps.

Installation & Cluster Onboarding

You can install TSE with three simple commands (try with an eval copy here), or directly from the AWS marketplace. To onboard your EKS clusters, experienced users can use the command line with a few commands. For new users, we’ve built an onboarding wizard to make this experience seamless. Check out the TSE installation guide for more details.

×

Deploy an App

Kubernetes uses namespaces to isolate groups of resources within a cluster. TSE gives teams more flexibility with the concept of workspaces. A workspace is simply a collection of one or more K8s namespaces, on one or more K8s clusters. TSE uses workspaces, not namespaces, as the basic target for configuration and grouping. Workspaces allow you to better manage resource isolation and multiple tenants. Check out the TSE app deployment guide for more details.

×

Set up mTLS

A major advantage of service mesh is to take policy code such as mTLS out of the app, but that’s not enough. Many teams implementing service mesh struggle to simply achieve requiring mTLS by default, especially when they scale beyond a single EKS cluster. TSE makes it easy to define global policies for all applications in the TSE platform, such as “mTLS required” in one step. Check the TSE mTLS guide for more details.

×

Make “Deny All” by Default

Similar to mTLS, TSE also makes it easy for you to set and enforce a “deny all by default” policy. This allows you to block all transactions by default, and flows must be explicitly enabled. Deny all by default is fundamental to achieving a Zero Trust posture, but can be difficult to implement in practice due to the sheer number of configurations required. TSE automates all the steps to make deny all by default with one simple step. Check out the TSE Zero Trust security policy guide for more details.

×

Set up Failover across Regions

Once you scale your deployment to more than one EKS cluster (such as multiple regions), this creates the challenge of securely connecting these clusters so that a client in one cluster can access a service in a second cluster. TSE handles all of the complexity, providing service discovery and secure mTLS-based connectivity between clusters, without the need to expose services to external (non-mesh) clients.

TSE provides an internal “east-west” gateway. The east-west gateway exposes sets of services in a cluster so that other TSE-managed clusters can access them. These services are not exposed to non-mesh clients. Furthermore, these services can be discovered and accessed using their FQDN (service name) alone, exactly as if they were running in the local cluster, so clients can access them by name without knowing any details about where the service is deployed. Check out TSE cross-cluster failover guide for more details.

×

Get Insights through Built-In Dashboards and Amazon Managed Grafana

TSE comes with a host of observability capabilities to help you identify the causes of application slowdowns, discriminating between application, sidecar and network latency, and general troubleshooting. Check out the TSE observability guide for more details.

To begin with, you can easily get a topology view of your service inventory:

×

Next, you can drill down into a metrics view of your services:

×

Finally, you get tracing right out of the box with TSE, without needing to integrate your own tracing tool:

×

Speaking of integration, it’s also very easy to integrate TSE with Amazon Managed Grafana. You can configure TSE as a Prometheus data source so it provides PromQL support, facilitating the querying of service metrics and creation of service dashboards in Grafana. Check out more details in the TSE integration guide.

×

Try It out Now

That’s the quick overview of major TSE capabilities. If you want a comprehensive conceptual introduction to TSE, you can read more about architecture and core concepts in docs. Tetrate Service Express is now generally available. If you want to get started, you can get an eval copy immediately, buy it from AWS marketplace, or contact us. If you want to learn more about TSE, check out the getting started series. We are also planning additional blogs, videos and webinars to show off more of TSE’s capabilities. The next TSE webinar is scheduled in a few weeks, sign-up today. Lastly, don’t forget to follow Tetrate on Twitter or LinkedIn so you get an instant update when new TSE content becomes available!