Tetrate Service Bridge 1.4: "Golden Gate"
Application Traffic: Centrally governed, locally enforced, scalable everywhere
We are pleased to announce the general availability of the Golden Gate release of Tetrate Service Bridge (TSB). TSB Golden Gate adds capabilities that enable application developers to define traffic and security controls for their old and new applications and APIs. Importantly, it combines Web Application Firewall (WAF), API gateway capabilities, and service mesh into one simple multi-tenant application connectivity platform for the enterprise and is now available as a service.
A simple unified application connectivity platform
At its core, TSB uses Envoy as the common data plane at every point in the modern application topology to enforce policy:
- at runtime,
- at application edge to ingress gateways, and
- all the way down to individual workloads for microservices as well as monolithic applications in virtual machines.
TSB's central management plane offers operators, security engineers, and application developers a way to declaratively express intent that is then executed by the Envoy data plane.
By offering comprehensive capabilities everywhere from edge to workload, a unified application connectivity platform gives developers more control without needing to worry about the machinery of traditional infrastructure management. Operators can spend less time managing application behavior and more time adding value elsewhere.
A consistent operational model across clusters, clouds, and compute mitigates operational complexity which, in turn, increases efficiency and lowers cost. Consistency also improves security by making it possible to declare policy centrally and prove that it's being enforced locally, across all networking and compute infrastructure.
Next-generation API Governance
TSB Golden Gate delivers baked-in distributed API gateway capabilities: Define once apply apply anywhere
The modern API gateway, based on Envoy, is now a core part of Tetrate Service Bridge.
When policy can only be implemented at a specific gateway, it makes sense to carve a distinction between north-south and east-west traffic. Because Tetrate's Envoy-based application networking layer is comprehensive, pervasive, and ubiquitous, that distinction dissolves: it's all just application traffic. This means you can apply capabilities traditionally available only in an API gateway to any part of your application topology from edge to workload.
TSB now includes a comprehensive set of traffic and security controls for all application traffic out of the box, including:
- Egress controls
- Enabling Application SSO
- External Authentication and authorization
- Credential management
- Fault tolerance: timeout, retry, circuit breaker
- Request and response header and body transforms
- Rate limiting
- Extensible traffic controls via Web Assembly (WASM)
Capabilities like WAF can be used to detect vulnerabilities like Log4j with simple configuration rules in TSB. You can read details here.
Clean, declarative developer experience for all internal and external APIs
The Golden Gate Release was designed with the developer in mind and reduces their learning curve to adopt a new modern platform. The goal with the release is to enable them to configure policies for their applications without having to learn intricacies and working of new technologies like Envoy, Istio but be able to leverage their power. Developers today want to be productive but lack the tools and knowledge to set appropriate networking and security policies, while networking and security teams lack the means to communicate policy mandates and ensure their implementation. This disconnect between access and knowledge leads to noncompliant networking and inconsistent policy enforcement; it can also lead to security breaches.
TSB Golden Gate Release dramatically improves the developer experience of application traffic management with intelligent abstractions that let you declaratively describe how APIs should behave. TSB then takes care of configuring the underlying infrastructure. Developers can just import their application definition via their OpenAPI spec with declarative policy and let Tetrate's management plane and Envoy-based control and data plane handle the runtime details.
For day one and day two concerns, TSB also gives you the observability capabilities you need to ensure that what you intended is what's actually happening. Teams can collaborate to troubleshoot the delta between intent and reality at runtime via signals propagated up to and coalesced in the management plane—and quickly fix those problems when they arise.
In this way, TSB empowers developers to describe how they want applications to behave and implement change at the speed of code, removing operational burdens from application traffic management.
Application-level segmentation: secure applications, not (just) networks
In addition to reducing operational burden, TSB also tightens security posture. Many of our customers grapple with compliance and enforcing controls in shared infrastructure. This often results in costly redundancies as entirely separate environments must be built and maintained to comply with a particular regulatory regime. In partnership with our customers and responding to their need for a simpler way to ensure compliance, we've built the concept of Workspaces into the latest version of Tetrate Service Bridge. Workspaces allow our customers to segregate, for example, PCI compliant application components from non-PCI apps, while allowing them to run on the same infrastructure, thus reducing infrastructure overhead while maintaining provable compliance. The applications can be running on VMs, Kubernetes or any other serverless platform. Workspaces allow you to add segmentation at the application level, regardless of the disposition of the underlying infrastructure or form of application packaging.
Roles and Responsibilities
TSB allows for multiple persona to collaborate to set up service mesh at scale with multiple teams and tenants. Read more in our revamped Security Concepts section and see how to use it in our Roles and Permissions How-to
Additional improvements and enhancements
- Easier VM workload onboarding. TSB has made onboarding other workloads to the platform much easier. TSB's updated workload onboarding capabilities enable platform owners to easily add auto scaling EC2 groups and ECS tasks to the global mesh for unified management. Read the docs to learn more.
- SSO integration. Now TSB can integrate with any IDP that supports OIDC. Sync API available to sync teams data from any IDP. Learn more (those docs talk about Azure but any OIDC provider will work).
- IPv6 readiness. All components are now deployable and tested for IPv6.
- Expanded support for ecosystem platforms. TSB is now supported on a wider array of partners including: