VMware Tanzu™ Service Mesh™, built on VMware NSX®, is an enterprise-class service mesh solution that provides reliable control and security for microservices, end users, and data across all your clusters and clouds in the most demanding multicluster and multicloud environments.

Tanzu Service Mesh runs on multiple application platforms, public clouds, and runtime environments, including Kubernetes clusters.

To control application traffic, Tanzu Service Mesh provides fine-grained, traffic management policies that give you complete control and visibility into how traffic and API calls flow between your services and across clusters and clouds.

To secure communication between services and protect sensitive data, you can use Tanzu Service Mesh to implement a zero-trust security model for cloud-based applications.

Tanzu Service Mesh supports cross-cluster and cross-cloud use cases with global namespaces. With global namespaces, you can securely deploy applications across clusters and clouds and have consistent traffic management policies, application continuity, and security policies across cloud silos and boundaries, regardless of where the applications are running.

Global namespaces can be each considered to mark an application boundary and as such provide strongly isolated environments for application teams and business units managing different applications and data.

Benefits for Different Enterprise Teams

Tanzu Service Mesh helps platform and application teams efficiently connect and secure their microservices across multiple clusters and clouds.

Tanzu Service Mesh helps DevOps engineers, site reliability engineers (SREs), platform reliability engineers (PREs), and platform operators and achieve consistent operational control, policies, and visibility across multiple application platforms and public clouds.

Security engineers, SecOps engineers, and compliance owners can use the product to configure flexible business-relevant security and compliance policies that protect and monitor applications and data and enable compliance by default.

Application developers and service owners can use Tanzu Service Mesh to deploy applications more quickly and add features more easily to provide more value and better experiences for application users.

Key Highlights of Tanzu Service Mesh

With Tanzu Service Mesh, application and platform teams get an enterprise-grade service mesh that they can use to accomplish the following tasks:

  • Extends the service mesh capability (discovery, connectivity, security, and observability) across multiple clusters and clouds.

  • Supports the development and management of distributed microservices applications across multiple clusters, multiple clouds, and in hybrid-cloud environments with Global Namespaces.

  • Controls and observes traffic and API calls between services.

  • Implements consistent application-layer security policies across clusters and clouds.

  • Provides a consistent management model (connectivity, security, observability) for applications.

  • Provides features to manage application deployments, upgrades, A/B and canary testing, and security patches.

  • Integrates with automated pipelines and workflows.

  • Supports third-party Kubernetes platforms (such as Amazon EKS).

  • Integrates with VMware Tanzu™ Mission Control™ , VMware® Enterprise PKS, and VMware Tanzu™ Kubernetes Grid™ to provide a seamless user experience.

Architecture of Tanzu Service Mesh

Tanzu Service Mesh offers a global controller and observer that platform teams can use to connect and protect microservices across all of their clusters and clouds in the most complex enterprise architectures. At a high level, Tanzu Service Mesh has the following architecture:

  • Global Controller and Observer. A collection of microservices that run in VMware SaaS and deliver differentiated control, security, and visibility capabilities.

  • Local Controller. Local control-plane components running in each customer cluster on-premises or in the public cloud and delivers fault tolerance in the event that a cluster becomes disconnected from the Global Controller.

  • Sidecars. Data-plane components that run in each customer cluster on-premises or in the public cloud and handle east-west traffic inside the service mesh.

  • Ingress and Egress Gateways. Data-plane components that run in each customer cluster on-premises or in the public cloud and handle north-south traffic going in and out of the service mesh.