Announcing Tetrate Agent Operations Director for GenAI Runtime Visibility and Governance

Learn more
< Back

The Fast Track to a Secure and Resilient Service Mesh on Amazon EKS: Tetrate Service Express Is GA!

Today we are excited to announce that Tetrate Service Express (TSE), the only EKS-native service mesh that provides workload security and high-availab

The%20Fast%20Track%20to%20a%20Secure%20and%20Resilient%20Service%20Mesh%20on%20Amazon%20EKS%3A%20Tetrate%20Service%20Express%20Is%20GA!

Today we are excited to announce that Tetrate Service Express (TSE), the only EKS-native service mesh that provides workload security and high-availability with Istio and Envoy, is now generally available! You can get TSE directly on AWS container marketplace today.

Whether you are new or a veteran to service mesh, the important idea is that TSE makes mTLS and service failover across AWS regions easy, AND it makes Day 2 operations of EKS workloads much easier. TSE is fast to install, pre-built with native AWS service integrations, and built on top of proven technologies used by the largest financial institutions in the world.

If your team is experimenting with service mesh on AWS, and you need to quickly prove the ROI without mastering complex Istio, Envoy, and AWS primitives, TSE is meant for you! If your team already has a service mesh on a single cluster, but want to extend your mesh to multiple clusters or even regions, TSE can help also. In fact, TSE is the only offering based on open source software and optimized for AWS, pre-integrated with the most popular AWS services to get you up and running in minutes. 

If you want to get started right away, watch the intro video and sign up for a free evaluation copy.

If you want to learn more about how Tetrate Service Express works, read on.

Tetrate Service Express Solves Common Problems in Amazon EKS

During the tech preview, we’ve worked closely with customers to understand how they are getting value from TSE. We see three common use cases that most teams running EKS can benefit from:

Use case #1: Maintain service availability automatically, even in the event of a region failure:

Operational concerns and unscheduled downtime mean that region availability can never be completely assured. TSE operates Amazon Route53 DNS on your behalf, so when your developers deploy services in two or more regions, TSE will automatically ensure user requests are directed to available regions.

Availability of internal services is also a concern, and TSE manages service discovery and routing on behalf of your apps. If a local service instance fails, client requests are automatically routed to a nearby instance in another region.

Use case #2: Implement a secure, auditable, Zero Trust-based production environment:

Zero Trust security is a sound security principle to follow, but successful implementation is fraught with complexities. Whether you operate a single cluster, or multiple regions, TSE enables you to define secure environments to deploy applications.

Partition your compute platforms into small, trusted “workspaces,” aligning with Kubernetes namespaces for ease of operations and spanning clusters when needed. Protect workspaces with ingress and cross-workspace rules to control traffic. Precisely define entry and exit points for services. Require authentication and manage mTLS with TSE and optionally AWS Private CA.

Use case #3: Extend AWS-native tools and improve developer velocity:

New platform tools can significantly reduce developer velocity, by requiring re-tooling, new APIs while offering limited integrations.

TSE addresses this challenge head-on with a clear separation of concerns between the platform operator and the service owner/developer. Whereas the platform operator defines advanced routing, security, availability, and observability policies using TSE APIs, the developer experience remains unchanged. TSE applies mTLS, security, service discovery, failover, and cross-cluster policies transparently to the apps and services.

Built on Istio with many pre-built integrations with AWS services, TSE integrates with Amazon Managed Grafana and other observability tools to avoid any disruption and retooling, and to provide rich application feedback to service owners.

These use cases are very common for teams starting to scale EKS, either because the business requires them to expand beyond a single region, or they are seeing increasing demand for EKS internally.

Let’s take a closer look at how TSE works.

From Zero to App in 2 Hours

Running TSE does not require any expertise in Istio or Envoy, and can be easily deployed by anyone with good AWS experience. Our design goal is to get a typical user to app deploy in a matter of hours. Beyond the initial installation and onboarding, achieving additional security and resiliency measures should take only a few more steps.

Installation & Cluster Onboarding

You can install TSE with three simple commands (try with an eval copy here), or directly from the AWS marketplace. To onboard your EKS clusters, experienced users can use the command line with a few commands. For new users, we’ve built an onboarding wizard to make this experience seamless. Check out the TSE installation guide for more details.

Post Image
Tetrate Service Express getting started experience.

Deploy an App

Kubernetes uses namespaces to isolate groups of resources within a cluster. TSE gives teams more flexibility with the concept of workspaces. A workspace is simply a collection of one or more K8s namespaces, on one or more K8s clusters. TSE uses workspaces, not namespaces, as the basic target for configuration and grouping. Workspaces allow you to better manage resource isolation and multiple tenants. Check out the TSE app deployment guide for more details.

Post Image
Setting up a TSE workspace for app onboarding.

Set up mTLS

A major advantage of service mesh is to take policy code such as mTLS out of the app, but that’s not enough. Many teams implementing service mesh struggle to simply achieve requiring mTLS by default, especially when they scale beyond a single EKS cluster. TSE makes it easy to define global policies for all applications in the TSE platform, such as “mTLS required” in one step. Check the TSE mTLS guide for more details.

Post Image
One-step mTLS enforcement in TSE.

Make “Deny All” by Default

Similar to mTLS, TSE also makes it easy for you to set and enforce a “deny all by default” policy. This allows you to block all transactions by default, and flows must be explicitly enabled. Deny all by default is fundamental to achieving a Zero Trust posture, but can be difficult to implement in practice due to the sheer number of configurations required. TSE automates all the steps to make deny all by default with one simple step. Check out the TSE Zero Trust security policy guide for more details.

Post Image
Setting up deny all by default in TSE.

Set up Failover across Regions

Once you scale your deployment to more than one EKS cluster (such as multiple regions), this creates the challenge of securely connecting these clusters so that a client in one cluster can access a service in a second cluster. TSE handles all of the complexity, providing service discovery and secure mTLS-based connectivity between clusters, without the need to expose services to external (non-mesh) clients.

TSE provides an internal “east-west” gateway. The east-west gateway exposes sets of services in a cluster so that other TSE-managed clusters can access them. These services are not exposed to non-mesh clients. Furthermore, these services can be discovered and accessed using their FQDN (service name) alone, exactly as if they were running in the local cluster, so clients can access them by name without knowing any details about where the service is deployed. Check out TSE cross-cluster failover guide for more details.

Post Image
TSE handles cross-cluster failover automatically.

Get Insights through Built-In Dashboards and Amazon Managed Grafana

TSE comes with a host of observability capabilities to help you identify the causes of application slowdowns, discriminating between application, sidecar and network latency, and general troubleshooting. Check out the TSE observability guide for more details.

To begin with, you can easily get a topology view of your service inventory:

Post Image
TSE topology view.

Next, you can drill down into a metrics view of your services:

Post Image
TSE metrics drill down.

Finally, you get tracing right out of the box with TSE, without needing to integrate your own tracing tool:

Post Image
TSE tracing view.

Speaking of integration, it’s also very easy to integrate TSE with Amazon Managed Grafana. You can configure TSE as a Prometheus data source so it provides PromQL support, facilitating the querying of service metrics and creation of service dashboards in Grafana. Check out more details in the TSE integration guide.

Post Image
TSE integrated with Amazon Managed Grafana.

Try It out Now

That’s the quick overview of major TSE capabilities. If you want a comprehensive conceptual introduction to TSE, you can read more about architecture and core concepts in docs. Tetrate Service Express is now generally available. If you want to get started, you can get an eval copy immediately, buy it from AWS marketplace, or contact us. If you want to learn more about TSE, check out the getting started series. We are also planning additional blogs, videos and webinars to show off more of TSE’s capabilities. The next TSE webinar is scheduled in a few weeks, sign-up today. Lastly, don’t forget to follow Tetrate on Twitter or LinkedIn so you get an instant update when new TSE content becomes available!

Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
  • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
  • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network

    with more
    intelligence?