Best Practices DevOps Best Practices How-tos open source Platform Engineering Best Practices security service mesh Tanzu Service Mesh

Using Global Namespaces and Zero-Trust Policies with VMware Tanzu Service Mesh

VMware Tanzu Service Mesh delivers a federated Istio service that brings significant value for enterprise customers beyond the core open source project, improving application security, resiliency, and multi-cloud operations.   

The primary construct of Tanzu Service Mesh that enables this added value is the concept of a global namespace (GNS). A GNS allows platform operators and developers using Tanzu Service Mesh to connect application services without having to specify (or even know) any underlying infrastructure details, as all of the mesh operations—from routes, ingress rules, destination rules, service entries, etc.—are done automatically by the GNS.  With the power of this abstraction, application microservices can “live” anywhere, in any Kubernetes cluster, on any site and any cloud, allowing teams to make placement decisions based on application and organizational requirements—not infrastructure constraints. This higher-level abstraction provides fully automated service mesh operations and secured connectivity between the application’s services, whether they are running in a single Kubernetes cluster or in multiple clusters. 

The idea is simple: In a GNS, which is a logical construct, you can group the services that compile an application and need to communicate with one another within their own “slice of the mesh.” By grouping the services into this “mesh slice,” you abstract the application from any underlying infrastructure details, making it possible to apply service mesh capabilities—such as service discovery, identity services for mTLS, resiliency and HA policies, and other advanced features—to the abstracted application and not to the Kubernetes clusters. 

This abstraction and automation enable you to “move,” “expand,” or “burst” an application service anywhere without having to change any configurations or lines of code. This really brings the idea of multi-cloud and hybrid-cloud workloads to life and is also very useful in a single-cluster deployment. 

This value comes from the fact that distributed, microservices-based applications require an unprecedented level of security since they communicate over the network. Tanzu Service Mesh provides a GNS with a set of advanced zero-trust security and compliance capabilities that are unique:

  • End-to-end mTLS encryption from service to service without regard to cluster, site, or cloud

  • Access policies for micro-segmentation at the application level 

  • API control and segmentation – Document, analyze, and protect APIs by controlling them up to the parameter level 

  • PII tracking and DLP – Data leakage protection for personally identifiable information

  • East-west threat detection – Detect and prevent OWASP 10 attack and/or custom attack signatures on any connection, whether north-south or east-west

Zero-trust policies in Tanzu Service Mesh GNS

It is important to note that these advanced security capabilities work in the GNS while Tanzu Service Mesh maintains an end-to-end mTLS session. 

As always, a demo is the best way to show the functionality, so we have prepared one that takes you step by step from the creation of a GNS to applying the advanced security policies described above.

To learn more about Tanzu Service Mesh, visit the product page.