Centralized governance, local enforcement for your application traffic

We are pleased to announce the general availability of the Golden Gate release of our flagship product, Tetrate Service Bridge (TSB). TSB Golden Gate adds capabilities that enable application developers to define traffic and security controls for all their applications and APIs. Importantly, it adds Web Application Firewall (WAF) and API gateway capabilities to the Envoy data plane and lets application developers and platform owners collaborate on the same platform to configure them properly for their applications, while enabling an end-to-end zero trust implementation. There is an entirely new developer experience for configuring applications and troubleshooting configurations for both personae.

By integrating these functions into a centralized platform, Tetrate offers operational consistency that simplifies application network management, and increases visibility for lower mean time to recovery, faster troubleshooting, and ease of automating application configurations using a GitOps model.

In addition, with the new release, TSB is available as a fully-managed, Tetrate-hosted service, in addition to self-managed, on-premises, air gap-able deployment.

With the new release, Tetrate Service Bridge further improves its profile as a leading architecture of choice for new development and for modernizing legacy applications. The power of the platform has increased, and the benefits of improved governance, increased agility (across development, test, and production), and application security that’s built-in, rather than added-on, are now much more accessible. The managed service offering dramatically lowers both the initial and ongoing organizational commitment needed to develop and deliver applications using this breakthrough technology.

A simple, unified application connectivity platform

The TSB platform embeds application-level security, connectivity, observability, and reliability benefits into a dedicated platform layer. That layer is centrally governed and locally enforced in a way that provides operational consistency across different environments, compute architectures, and language ecosystems.

At its core, TSB uses Envoy as the common data plane at every point in the modern application topology to enforce policy:

  • at runtime,
  • at application edge to ingress gateways, and
  • all the way down to individual workloads for microservices, as well as monolithic applications in virtual machines.

TSB’s central management plane offers operators, security engineers, and application developers a way to declaratively express intent that is then executed by the Envoy data plane.

By offering comprehensive capabilities everywhere from edge to on-premises to clouds, TSB gives developers more control without the headaches associated with traditional infrastructure management. Operators can spend less time managing applications’ behaviors and security controls and more time adding value elsewhere.

TSB provides a consistent operating model across clusters, clouds, and compute, which mitigates operational complexity, increases efficiency, and lowers cost. Consistency also improves security by making it possible to declare policy centrally and prove that it’s being enforced locally, across all networking and compute infrastructure.

 

TSB managing application connectivity
Figure 1: TSB managing application connectivity across clusters with combined WAF, API gateway, and service mesh capabilities available from edge to workload.

Next-generation API governance with baked-in distributed API gateway capabilities: Define once, apply anywhere

The modern API gateway, based on Envoy, is now a core part of Tetrate Service Bridge.

When policy can only be implemented at a specific gateway, it makes sense to carve out a distinction between north-south and east-west traffic. Because Tetrate’s Envoy-based application networking layer is comprehensive, pervasive, and ubiquitous, that distinction dissolves: it’s all just application traffic. This means you can apply capabilities traditionally available only in an API gateway/Ingress to any part of your application topology from edge to workload.

In a recent Gartner research paper, Innovation Insight for Comprehensive Secure Connectivity for Composite Applications (CASCE – 14 October 2021, ID G00750807), Gartner analysts urge platform managers: “Ensure secure connectivity across application components by using distributed API gateways and private networks to enforce policies with fewer points of contact and more complete control.” The modern API gateway that is now embedded in Tetrate Service Bridge enables the use of consistent policies within composite applications, and between users and applications.

TSB now includes a comprehensive set of traffic and security controls for all application traffic out of the box, including:

  • WAF
  • Egress controls
  • Enabling application SSO
  • External authentication and authorization
  • Credential management
  • Fault tolerance: timeout, retry, circuit breaker
  • Request and response header and body transforms
  • Rate limiting
  • Extensible traffic controls via Web Assembly (WASM)

Capabilities like WAF can be used to detect vulnerabilities like Log4j with simple configuration rules in TSB. You can read details here.

Clean, declarative developer experience for all internal and external APIs

Golden Gate Release was designed with the developer in mind and reduces their learning curve in adopting a new modern platform. The intent is to enable developers to configure policies for their applications, enabling them to leverage the power of new technologies like Envoy and Istio, without having to learn their inner workings and intricacies. Developers today want to be productive but lack the tools and knowledge to set appropriate networking and security policies, while networking and security teams lack the means to communicate policy mandates and ensure their implementation. This disconnect between access and knowledge leads to non-compliant connectivity and inconsistent policy enforcement; and, in worst-case scenarios, to security breaches.

The TSB Golden Gate Release dramatically improves the developer experience around application traffic management. With intelligent abstractions, developers can declaratively describe how APIs should behave. TSB then takes care of configuring the underlying infrastructure. Developers can simply import their application definition via the OpenAPI spec, with declarative policy, and let Tetrate’s management plane and Envoy-based control and data plane handle the runtime details.

For Day 1 and Day 2 concerns, TSB also gives developers the observability capabilities to ensure that what was intended is actually what’s happening. Teams can collaborate to troubleshoot the delta between intent and reality at runtime via signals propagated to the management plane—and quickly fix those problems when they arise.

In this way, TSB empowers developers to describe how they want applications to behave and implement change at the speed of code, removing operational burdens from application traffic management.

Open API spec with TSB annotations to get API gateway and service mesh capabilities.
Figure 2: Simply tag your Open API spec with TSB annotations to get API gateway and service mesh capabilities.
Service mesh capabilities.
Figure 3: SecuritySettings can have WAF, API GW and service mesh security controls.

Application-level segmentation: secure applications, not (just) networks

In addition to reducing operational burdens, TSB also tightens applications’ security posture. Many teams struggle with compliance and enforcing controls in shared or multi-tenant infrastructure. This often results in costly redundancies, as entirely separate environments must be built and maintained to comply with a particular regulatory regime. In partnership with our customers, and in response to their need for a simpler way to ensure compliance, we’ve built the concept of workspaces into the latest version of Tetrate Service Bridge.

“We appreciate the way in which the Golden Gate release of Tetrate Service Bridge helps us to achieve security at the application level, not just at the network level,” said Jeremy Farber, SVP Infrastructure for Age of Learning.

Workspaces allow our customers to segment, for example, PCI-compliant application components from non-PCI apps, while allowing them to run on the same shared infrastructure, thus reducing infrastructure overhead while maintaining provable compliance and baked-in security. Workspaces enable multi-tenancy by allowing granular segmentation of workloads across teams and organizations. The applications can be running on VMs, Kubernetes or any other serverless platform. Workspaces allow customers to add segmentation at the application level, regardless of the disposition of the underlying infrastructure or form of application packaging.

TSB enabling application-level segmentation across cloud-native and legacy applications
Figure 4: TSB enables application-level segmentation across cloud-native and legacy applications so application developers and platform owners can collaborate.

Shared infrastructure with built-in multi-tenancy

Another common problem that teams have struggled with is the cost and complexity of maintaining multiple clusters per team or app model. With TSB, platform operators can partition shared infrastructure between teams, and benefit from the safety of isolation and from reduced operational costs.

Roles and responsibilities

TSB enables application developers and platform owners to collaborate to set up service mesh at scale with multiple teams and tenants. Each can be assigned their granular permissions in the TSB IAM. It is simple to onboard applications and to configure, operate, and troubleshoot them.

Roles and Responsibilities
Figure 5: Roles of application developers and platform owners to collaborate to operate service mesh at scale.

Tetrate Service Bridge now available as a service

TSB’s management plane, which itself runs in a Kubernetes cluster, is now available in a fully-managed hosted offering from Tetrate. This enables customers to bring their application compute cluster and ensure secure connectivity across application components, enforcing policies with fewer points of contact and more complete control.

TSB as a managed service is available on AWS, Microsoft Azure, and Google Cloud Platform. It offers all the same capabilities as the self-managed software, but provided as a service you plug into. You do not have to worry about installation, maintenance, or administration. Tetrate automatically provisions and manages the management plane and handles software upgrades. New features appear on the managed service first, then migrate to the self-managed software when new releases occur.

Additional improvements and enhancements:

Easier VM workload onboarding. TSB has made onboarding other workloads to the platform much easier. TSB’s updated workload onboarding capabilities enable platform owners to easily add autoscaling EC2 groups and ECS tasks to the global mesh for unified management. Read the docs to learn more ›

SSO integration. TSB can now integrate with any IDP that supports OIDC. Sync API available to sync teams data from any IDP. Learn more ›

Streaming service logs. When troubleshooting, on-demand streaming logs of the service are now available.

IPv6 readiness. All components are now deployable and tested for IPv6.

Expanded support for ecosystem platforms. TSB is now supported by a wider array of partners, including:

fluxCequence

Get Started

Read the release notes for detailed feature updates and improvements, or get started on concepts here.

 

Author(s)