Frequently Asked Questions


What’s the difference between TSB and Istio?+

TSB uses Istio under the hood, but layers on additional capabilities like centralized management, multitenancy, audit logging, workflows, a global service inventory, comprehensive lifecycle management, and configuration safeguards.

TSB is built and supported by the world’s foremost Istio experts. We believe in helping to build service mesh expertise within your organization through tailored training for your platform and application teams, understanding your architecture and mesh goals, and developing a plan to achieve them together. And, of course, enterprise-grade 24×7 support for when you need it.

Is TSB open source?+

Tetrate Service Bridge itself is proprietary, but uses best-of-breed open source components. Our team includes founders and core maintainers of Istio, Envoy, Zipkin, and Apache SkyWalking — the projects at the heart of Tetrate Service Bridge. We are the creators of GetIstio and GetEnvoy. These open source projects have been shaped by significant contributions by Tetrands and are used in our products.

Does TSB support non-Kubernetes workloads?+

Yes, we support onboarding services in VMs and on bare metal. In the process, you will run sidecar for VMs or bare-metal services. This sidecar will act as proxy so that your non-Kubernetes services can participate in the mesh.

Does Tetrate Service Bridge run in the cloud? On premises?+

Yes. TSB itself may be deployed in public clouds, a private cloud, or on-premises. It can also manage your services running in public, private, and hybrid clouds and on-premises.

Do you support multiple cloud deployments?+

Yes. TSB can manage application networking in and across multiple clusters, multiple clouds, private clouds, and on-premises simultaneously.

Why do I need multitenancy in a service mesh?+

Multitenancy in TSB is about separating concerns and isolating resources under management so different teams in an organization have the visibility and control they need to get things done without accidentally stepping on each other’s toes. 

Security, network, infrastructure, and application concerns are traditionally siloed within the teams responsible for them. Gaining visibility and coordinating policy across those silos is hard, causing drag on business continuity and agility. 

TSB offers a central point of coordination that gives all stakeholders the control they need to author policy with the visibility they need to ensure that policy is correctly implemented. 

Under the hood, TSB uses the underlying isolation primitives of the mesh, adding a multitenancy model and controls that align with the way your people and assets are organized. Teams may be organized by what they do and what they’re responsible for. Services may be grouped together into logical applications so app teams can focus on the services they need to monitor and manage.

Give InfoSec teams control that cuts across tenants and workspaces to establish global and default policy––for example, deny network egress by default. 

Give app teams a custom view of the services that make up their applications. And, where they once may have spent days or weeks to coordinate policy updates with infosec and network teams, give them the latitude within the scope of their application to add exceptions where needed––for example, allow egress for a particular service.

Platform administrators get a bird’s eye view of all resources and can organize them according to the needs of their constituents.

How do I protect production from unauthorized access in a dynamic compute environment like Kubernetes?+

TSB syncs with your enterprise directory service automatically onboard and offboard teams and members. InfoSec teams may then define roles and access policy within TSB for those teams and members that make sense for your business. TSB translates those roles and policies to your underlying infrastructure so you don’t need to configure that infrastructure directly. This means, for example, that you don’t need to configure each K8s cluster with team and individual permissions and keep them up to date. Tetrate Service Bridge manages all of that for you, based on centrally authored policy backed by your organization’s directory service.

In addition, access to every workload is dynamically authenticated and authorized based on centrally-managed policy. mTLS prevents eavesdropping and ensures message-level authenticity and integrity. And, TSB’s multitenancy features make it easy to author policy that allows teams access to resources they need while protecting those they don’t.


How can I implement mTLS across my entire infrastructure, including between K8s and VMs?+

TSB enables flexible mTLS between any workload onboarded to its service inventory—including between multiple clusters, clouds, and data centers as well as between workloads in container orchestrators and VMs.

Will TSB work with my existing public key infrastructure?+

TSB integrates with the PKI of your choice. Whether you’re using the certificate management built into your cloud provider, a third-party PKI like Venafi or Keyfactor, or need to integrate with your own private, self-managed PKI, Tetrate Service Bridge has you covered.

How do I ensure and prove consistent application of authorization policy across all of my deployments?+

Instead of building in and maintaining separate authentication libraries for multiple languages of varying levels of quality and support into each of your applications, a service mesh, through its sidecar proxies, provides a common, consistent policy enforcement mechanism for every service and every app. Tetrate Service Bridge allows you to author policy centrally, then ensures that policy is configured and enforced universally. TSB also lets you make sure, at a glance, that policy actually is being enforced and can provide audit logs to prove it.

How does TSB transparently shift traffic to public cloud services from my on-premises, self-managed infrastructure?+

TSB uses instances of Envoy—either as sidecars or standalone gateways—to shift traffic across clusters and sites. TSB facilitates runtime service discovery to enable this, and provides a global view of traffic flowing through your infrastructure, both concurrently and historically.

How does TSB help optimize locality and minimize egress?+

TSB takes advantage of built-in tools like Envoy’s locality-aware and locality-prioritized load balancing combined with TSB’s high-level understanding of your topology to ensure traffic flows as efficiently as possible—staying within the local region or availability zone as much as is possible, taking into account explicit traffic shifting and failover for high-availability and disaster recovery.

How can I safely roll out my microservices implementation and roll back to the VM implementation if it’s not working?+

Just like controlling traffic between multiple clusters or sites, TSB can be used to control traffic—per request—across services at the same site. This enables quick and automatic failback to the monolith when new services aren’t working or are unavailable.

How can I mitigate the damage of infrastructure outages by giving my developers tools to failover and build HA applications?+

TSB helps you build a system with multiple, separate failure domains (“silos”) by managing application networking, security, configuration, and observability in those silos. It then provides application teams the tools they need to deploy and failover across those silos, ensuring business continuity in the face of outages in the underlying infrastructure.

How does TSB help me keep my service mesh up to date without causing outages?+

TSB provides cluster details that include the deployed versions Istio and Envoy to give you an up-to-date status of what’s running in your infrastructure at a glance. To upgrade, TSB runs the new version as a canary to give you the operational assurance that it’s safe to release the upgrade more broadly.

How do I enable my developers to build reliable applications using mesh primitives?+

TSB lets you set sane defaults for your entire organization while giving your devs the ability to incrementally consume mesh functionality as and when they need it, and to ignore the complexity it imposes before they need it.

Schedule a demo


Tetrate Named a Cool Vendor by Gartner
Tetrate is recognized by Gartner as a Cool Vendor in Cloud Computing. You can read the report to learn what Gartner has to say about Tetrate…

Download Report ›


Starting out with
Service Mesh
Envoy creator Matt Klein (Lyft) advises organizations starting with service mesh to make changes incrementally, to solve problems one piece at a time.

Watch Now ›

Case Study

Encryption & PCI Compliance with Istio Service Mesh
Service mesh architecture provides a rich set of features for controlling and securing communications among services. Encryption in transit…

Read More ›