Skip to main content
Version: 1.3.x


Tetrate Service Bridge (TSB)

TSB is a service mesh management plane that’s designed to provide you with a single place to manage your entire infrastructure. It maps to your existing organizational structure, and enables you to provision access rights according to your already established teams and needs.


In TSB, an organization is the name we give to the corporation that has a shared infrastructure, and manages all the individual teams within that corporation.


A tenant is a group within an organization (e.g. a team or department) who shares organizational resources, and common access to resources with specific privileges (including read, write).


A workspace is a strictly partitioned zone where teams manage their exclusively-owned namespaces. It maintains all service mesh-related configurations associated with that team’s namespaces across any number of Virtual Machines and Kubernetes clusters.


A network servable/addressable destination that is identifiable and independently authenticated.


A logical grouping of resources under a Workspace. A group may be one of gateway, traffic, or security group.

Management Plane

The TSB management plane is your primary access point to everything within your environment. It’s your one place to configure networking, security, and observability using the UI or CLI to make updates and changes. It provides centralized control in a multi control plane service mesh.

Global Control Plane / XCP

The global control plane is part of the management plane. It’s concerned with the literal state of your mesh-managed system as a whole, and holds the state of the entire ecosystem under the control of TSB. It provides multi-cluster features on top of the different local control planes.

Control Plane

The local control plane is an Istio service mesh that is deployed in every cluster to create isolated failure domains between clusters. It allows TSB to make use of all the features of Istio, including enforcing mTLS between applications, as well as making intelligent networking and traffic routing decisions between microservices within each cluster.

Data Plane

Powered by Envoy, the data plane enables data transfer between services using ‘sidecars’ that sit next to microservices and send and receive data on behalf of the applications.

Load balancer

A load balancer sits in front of your servers and distributes requests based on availability and capacity.


A gateway describes a load balancer operating at the edge of a mesh receiving incoming or outgoing HTTP/TCP connections. In a multi-cluster TSB ecosystem we distinguish between the following types of gateways:

  • Tier 1 Gateway distributes traffic across one or more ingress gateways in other clusters over Istio mTLS. This will be the entry point to the TSB service mesh which is spanning over multiple clusters.
  • Ingress Gateway (tier 2 gateway) distributes traffic to one or more workloads (business application services) running in the cluster. Source of the traffic could be:
    1. A tier 1 gateway: communicating over Istio mTLS. Mesh starts at tier 1.
    2. Client on the internet (outside TSB Mesh). Mesh starts at tier 2.
    3. Service running on another cluster which is also part of the TSB Mesh. In this case, Mesh entrypoint will be a tier 2 on the remote cluster, which forwards the request to the client service.
  • VM Gateway provides a gateway for traffic originating from onboarded VMs to route correctly to other mesh workloads.

Service Registry

The service registry is a central point where you can see a list of every service that exists in the TSB platform’s onboarded clusters.

Front Envoy (Envoy Gateway)

The Envoy gateway that accepts incoming traffic to TSB components, e.g. API calls, commands from tctl, communications to clusters managed by TSB (i.e. Global Control Plane)


Your guess is as good as mine… But here is an overview on the Kubernetes site.


A cluster is a set of compute nodes. A node can contain Kubernetes pods, VMs, Bare Metal, or a combination of all three if they share a trust domain.


Namespaces are Kubernetes-specific. They enable you to group resources (e.g. containers, pods or nodes) into ‘sets’ and provide them with a name.

Failure Domain

A physical or logical section of your environment that is negatively affected, or likely to fail when a critical device or service experiences problems.


Istio is an open source service mesh that provides a transparent and language-independent way to flexibly and easily automate application network functions. To learn more about Istio’s capabilities, visit the Istio website.


Envoy is an L7 proxy and communications system designed for large modern service oriented architectures. All of the Envoys form a transparent communication mesh in which each application sends and receives messages to and from localhost and is unaware of the network topology. To learn more about Envoy, visit the Envoy Proxy website.


Apache SkyWalking is an Observability Application Platform (OAP) and Application Performance Monitor (APM) tool that includes distributed tracing, service mesh telemetry analysis and metrics aggregation to provide you with a full image of the health of your services and service mesh. For more information, visit the Apache Skywalking website.


Zipkin is a distributed tracing system that gathers timing information from your services to help you troubleshoot latency issues within your architecture. For more information visit the Zipkin website.