Skip to main content
Version: 1.3.x

TSB Architecture

The previous section covered what Tetrate Service Bridge is. This section is all about the architecture that makes up TSB.

You’ll learn about:
✓ Tetrate Service Bridge’s Management Plane
✓ Tetrate Service Bridge’s Global Control Plane
✓ The Local Control Planes - powered by Istio
✓ The Data plane - powered by Envoy
✓ Envoy Extensions in Tetrate Service Bridge

By the end, you should have a clear understanding of each of the elements of TSB’s architecture and how they work together to help you manage your environment.

TSB Management Plane

The TSB management plane is your primary access point to everything within your mesh-managed environment.

The management plane enables easy management of your environment by splitting up your infrastructure into ‘workspaces’, ‘groups’ and ‘services’. By using these logical groupings, it allows for an improved user experience when managing your environment.

Any changes that impact your mesh-managed environment are initiated from within the management plane, including user-based actions of multi-tenancy, security and access controls, and application-based actions of traffic management, service discovery and Ingress/Egress controls.

Any changes that you make in the management plane are held in state within the global control plane.

Tetrate Global Control Plane

The global control plane is part of the management plane, and as a user, there's no direct access to the global control plane's APIs.

The global control plane is responsible for:

  • Service discovery between clusters
  • Telemetry that is collected from the local control plane and data plane
  • Disaster recovery and failover in the case of a gateway outage or cluster failure
  • Authentication and Authorization for users and between applications
  • Egress controls to determine what can leave the network.

Global control plane enables clusters to communicate with each other and advertise the services that are available.

Local Control Planes

TSB uses Istio for the local control plane within each cluster, which means that you get the benefits of having isolated failure domains with multiple Istios, and easy, more standardized management from the TSB management plane.

As a user, you access and control them from the management plane, which means you have no direct interaction with the local control planes. Whatsmore, you only need to push a single configuration to update them all.

The local control plane is responsible for:

  • Smart local load balancing
  • Enforcing zero-trust within the cluster
  • Enforcing authentication and authorization at a local level

The control plane is that local point of access for TSB to push configurations, to mine data, and then make intelligent decisions based on what it's seeing within that cluster.

Data Plane

Istio uses an extended version of the Envoy proxy as the data plane. Envoy is a high-performance edge/middle/service proxy, designed to mediate all inbound and outbound traffic for all services in the service mesh.

Envoy proxies are deployed as sidecars to applications/services, to augment services with Envoy built-in features, for example:

  • Dynamic service discovery
  • Load balancing
  • TLS termination
  • Mutual TLS
  • HTTP/2 and gRPC proxies
  • Circuit breakers
  • Health checks
  • Staged rollouts with %-based traffic split
  • Fault injection
  • Rich metrics

The deployment of Envoy will automatically configure all inbound and outbound traffic to go through Envoy. This allows the augmentation of services to happen without requiring you to re-architect or rewrite your application.


The extension point of TSB in the data plane is built with WebAssembly. Envoy has several extension points, while normal Envoy extensions require rebuilding and linking Envoy binary. WebAssembly is a sandboxing technology that can be used to extend Envoy since Istio 1.6.

The overview of WebAssembly extension can be found in the Istio documentation. In TSB, a better support of WebAssembly extensions is provided via GetEnvoy Extensions Toolkit. It helps developers build and test Envoy extensions and integrate with TSB to help the deployment of extensions.