Authors: Mark Schweighardt, Tom Spoonemore

Modern enterprises are sprawling and complicated. They are transitioning from private to public clouds to address, for example, performance, availability, and data residency requirements, and to gain access to advanced services such as analytics and ML. They are also transforming their application architectures from monoliths to distributed microservices.

In August 2019, VMware introduced VMware Tanzu, a new portfolio of products and services to transform the way enterprises BUILD modern applications on Kubernetes, consistently RUN Kubernetes across clouds, and MANAGE Kubernetes fleets from a single control point. This is a huge win for our customers: Using Tanzu Mission Control to consistently create and manage the lifecycle of Kubernetes clusters across any cloud. 

But how do we consistently connect and secure traffic between the services distributed across all of these clusters and clouds, while delivering on application SLAs? Today we further develop this picture by introducing NSX Service Mesh on VMware TanzuNSX Service Mesh provides an application connectivity and security fabric that can span across all of your Kubernetes clusters and cloud environments.

NSX Service Mesh allows you to: 

  • CONNECT – Intelligently control and observe traffic and API calls between services. 
  • PROTECT – Implement consistent security and compliance policies across clouds. 

Now let’s look closer at how NSX Service Mesh provides consistent connectivity and security for microservices – across all of your Kubernetes clusters and clouds – in the most demanding enterprise architectures. 

CONNECT: Control & Observe Application Traffic 

NSX Service Mesh provides fine-grained, rule-based traffic management that gives you complete control over how traffic and API calls flow between your services, and across clusters and clouds.  

Easily configure global load balancing with failover across clusters in multiple zones or regions, split traffic and route requests based on percentages or request content, and implement application resiliency using timeouts/retries and circuit breakers. You can also test your applications in production using traffic mirroring.

NSX Service Mesh also integrates with open source and commercial monitoring and troubleshooting tools, including Wavefront by VMware, for full observability into application performance and faster root-cause analysis and mean time to repair.

Control and Observe Application Traffic Through NSX Service Mesh

PROTECT: Secure Services & Sensitive Data 

As we have more traffic and data flowing across clusters and across clouds, we need to protect it. NSX Service Mesh helps you implement a zero-trust security model for modern, cloud-based applications. It does this by: 

  • Strongly authenticating the identities of users and services 
  • Authorizing users and services to communicate by analyzing the request context 
  • Encrypting application traffic traversing inside and across clusters and clouds
  • Logging all request and access events for auditing and compliance 

Together, these capabilities form the foundation of zero-trust security for applications, and protect sensitive data flowing across all of your clusters and clouds.

Strong Isolation for the Enterprise

In addition to enterprise infrastructure and applications becoming more complex, so are organizational structures, with multiple lines of business, teams, and diverse product offerings. This business transformation has resulted in an explosion of applications and data that extend beyond and across organizational boundaries. 

Due to this complexity, enterprises need isolated environments for their application teams. To achieve strong isolation, NSX Service Mesh introduces a new construct called Global Namespaces (GNS). As its name implies, a global namespace can consist of microservices distributed across multiple Kubernetes clusters and clouds. Each global namespace provides its own identity management, policies (e.g., security and SLOs), naming / DNS, and traffic routing. 

Global namespaces are strongly isolated environments that can be provided to different teams managing different applications and data, and that can also be used to isolate dev, test, and prod environments. And of course, you can have as many global namespaces as you need.

One more significant benefit of a GNSThe GNS decouples your applications from the underlying Kubernetes infrastructure, so you can more easily move applications across cloud environments, while maintaining consistent and continuous configs and policies, regardless of where your workloads are running.

A Complete Platform for Application Modernization and Journey to the Cloud 

With comprehensive build, run, manage, connect, and protect capabilities, VMware Tanzu and NSX Service Mesh provide benefits across your entire organization as you modernize your applications and adopt cloud.

Developers benefit from simplified application development and deployments. Operators benefit from application SLOs, resiliency, and observability – from a single management plane. And Security from consistent policies and visibility across application environments for auditing and compliance oversight.



Meet-Up with Us at KubeCon! 

The NSX Service Mesh team will be active at KubeCon in San Diego this week: 

Stop by VMware Booth D6 to see Tanzu and NSX Service Mesh in action. Or collaborate and interact with VMware contributors at Community Lounge 4.

You can also watch a recent webinar by Joe Beda and Pere Monclus discussing how Tanzu Mission Control, in conjunction with NSX Service Mesh, provide a consistent way to manage application-level connectivity and security for microservices running inside your Tanzu-managed Kubernetes clusters.