Tanzu Service Mesh is a managed service provided by VMware that delivers the open-source Istio technology to client clusters. Tanzu Service Mesh provides an Istio-based solution that is curated by VMware and tested for compatibility with its own features.
Tanzu Service Mesh provides customers with a streamlined and secure way to manage their Istio deployments across multiple clouds and vendors.
Istio is an open-source service mesh that provides features such as traffic management, policy enforcement, and telemetry collection for microservices-based applications. Tanzu Service Mesh takes the core capabilities of Istio and adds additional value on top of it, including:
Global namespaces. Tanzu Service Mesh provides a unified management interface for Istio deployments across multiple clusters, allowing customers to manage their Istio environment in a centralized manner.
Advanced security and resiliency features. Tanzu Service Mesh includes features, such as API security, PII DLP, east/west WAF, and access policies, that are designed to enhance the security and resiliency of customer applications.
Management capabilities. Tanzu Service Mesh provides several management capabilities to help customers manage their Istio deployments, including Istio Lifecycle Management. Customers can install, upgrade, and manage their Istio deployments centrally through Tanzu Service Mesh.
Cluster dashboards. Tanzu Service Mesh provides a view of the topology of applications on the clusters, as well as how they interact with the Istio components.
Inventory, heatmaps, service maps, and performance graphs. Tanzu Service Mesh provides platform operators with the ability to monitor and manage their Istio deployments across clouds.
When customers onboard their clusters to Tanzu Service Mesh, Tanzu Service Mesh will deploy OSS Istio to the customer’s client clusters on any cloud and vendor. The supported Kubernetes platforms are listed on the Tanzu Service Mesh Environment Requirements and Supported Platforms page. Once Istio is deployed in the client clusters, customers can interact with Istio through the Kubernetes API and Istio CRDs, as they would with the open-source version of Istio. However, Tanzu Service Mesh features, such as global namespaces and policies, are managed centrally through the Tanzu Service Mesh SaaS (UI, Tanzu Service Mesh CLI, or REST API). The demarcation line between Istio and Tanzu Service Mesh features is as follows:
Istio single-cluster features. These are managed through the Kubernetes cluster API and Istio CRDs.
Tanzu Service Mesh features: These are managed centrally through the Tanzu Service Mesh SaaS through the Tanzu Service Mesh CLI, UI, or REST API.
When interacting with Istio through Tanzu Service Mesh, consider several things:
Tanzu Service Mesh supports Istio deployments managed through the Tanzu Service Mesh lifecycle manager only.
Attaching an Istio control plane that was not deployed by Tanzu Service Mesh is currently not supported.
Tanzu Service Mesh does not support Istio multiclustering in conjunction with global namespaces. Customers who want to use global namespaces should do so for federated multiclustering.
Customer gateways and configurations to Istio policies should be made in the app namespace because Tanzu Service Mesh will overwrite any changes made to the istio-system namespace.
When using global namespaces, you may need to update some Istio policies or move them a global namespace to avoid conflicts. Make sure that the policies do not overlap or collide with Tanzu Service Mesh access policies.
In conclusion, Tanzu Service Mesh is a managed service that provides customers with a streamlined and secure way to manage their Istio deployments. Tanzu Service Mesh adds additional value to Istio through features, such as global namespaces and advanced security and resiliency capabilities, while providing management capabilities to help customers manage their Istio deployments. To get the most out of Tanzu Service Mesh, customers should consider the points mentioned above and follow the Tanzu Service Mesh Environment Requirements and Supported Platforms page for deploying Istio on their client clusters.
