Tetrate Archives

Use Tetrate’s Open Source Istio Cost Analyzer to Optimize Your Cloud Egress Costs

Who Is This For?

You should read this if you run Kubernetes and/or Istio on a public cloud, and you care about your cloud bill. Cloud providers charge money for data egress, including data leaving one availability zone destined for another. If your Kubernetes deployments span availability zones, you are likely being charged for egress between internal components. Even if you don’t run Kubernetes/Istio, you’ll still run into cross-zone data egress costs, which this article will help you understand and minimize.

Tetrate

Ambient Mesh: What You Need to Know about This Experimental New Deployment Model for Istio

Istio recently announced “ambient mesh”—an experimental, “sidecar-less” deployment model for Istio. We’ve written about sidecar vs. sidecar-less recently in the context of getting the most performance and resiliency out of the service mesh. In this article, we’ll present our take on ambient mesh in particular.

If you want to get started with a production-ready Istio distribution today, try Tetrate Istio Distro (TID). TID is a vetted, upstream distribution of Istio that is simple to install, manage, and upgrade with FIPS-certified builds available for FedRAMP environments. If you need a unified and consistent way to secure and manage services across a fleet of applications, check out Tetrate Service Bridge (TSB), our comprehensive edge-to-workload application connectivity platform built on Istio and Envoy.

What Is Ambient Mesh?

Ambient mesh is an experimental new deployment model recently introduced to Istio. It splits the duties currently performed by the Envoy sidecar into two separate components: a node-level component for encryption (called “ztunnel”) and an L7 Envoy instance deployed per service for all other processing (called “waypoint”). The ambient mesh model is an attempt to gain some efficiencies in potentially improved lifecycle and resource management—at least, that’s the motivation.

Tetrate

Minimizing Cross-Zone Traffic Charges with Istio

Deploying Kubernetes clusters across availability zones can offer significant reliability benefits, especially when you use Istio for application routing and load balancing. If you have built redundant failure domains in separate zones, the mesh can automatically shift traffic to another zone should one zone fail. Istio’s locality-aware load balancing can also help reduce latency and cross-zone traffic charges from your cloud provider by keeping traffic within the same zone as much as possible.

Tetrate

Automate Istio CA rotation in production at scale

One of Istio’s core capabilities is to facilitate a zero trust network architecture by managing identity for services in the mesh. To retrieve valid certificates for mTLS communication in the mesh, individual workloads issue a certificate signing request (CSR) to istiod. Istiod, in turn, validates the request and uses a certificate authority (CA) to sign the CSR to generate the certificate . By default, Istio uses its own self-signed CA for this purpose, but best practice is to integrate Istio into your existing PKI by creating an intermediate CA for each Istio deployment.

mTLS, Security, Tetrate, Tetrate Service Bridge

Securing microservices across clouds using Tetrate Service Bridge

Introduction

Today, digital transformation is a well-established priority for almost all organizations across industries. With digital transformation, which includes adopting cloud, microservices, and container technologies, C-Suite leaders intend to deliver services faster and on demand.

Istio, Tetrate

The arm64 processor is now supported in Istio 1.15

Istio is one of the three core technologies in the container-based cloud native stack. The other two are Kubernetes and Knative, and both of them already support the arm64 architecture. Envoy, Istio’s data plane has supported arm64 as early as version 1.16 (October 2020 ). With the release of Istio 1.15, the control plane supports arm64 as well. You don’t need to build the arm image manually, it works out of the box.

Announcements, Tetrate

David Wang joins Tetrate as the Head of Marketing

Tetrate is excited to announce and welcome David Wang to the team! David is joining as the Head of Marketing for Tetrate. He will be building and leading a world-class marketing team to develop a strategic narrative for Tetrate in the emerging Service Mesh market. David will spearhead an innovative, repeatable, and scalable GTM strategy for Tetrate. In addition, he will also create brand awareness and credibility with the analyst firms, enterprises, and the market while continuing to grow Tetrate’s unrivaled reputation within the developer community.

Tetrate

Brian Dussault joins Tetrate as the Head of Engineering

Tetrate is excited to announce and welcome Brian Dussault to the team! Brian is joining as the Head of Engineering. He will lead and scale the Engineering organization owning TSB and open source initiatives that offer rich and highly performant solutions empowering multiple personas across the enterprise in their Service Mesh journey.

Service Mesh, Tetrate

eBPF and Sidecars – Getting the Most Performance and Resiliency out of the Service Mesh

If you’ve been watching the service mesh space recently, you’ll have noticed a lot of talk about eBPF and “sidecar-less” meshes. In fact, there’s been so much talk about these things that I’m hoping for a lot of readers for this blog post, just because I’ve got all of it in the title!

But what actually are “sidecar-less” service meshes? How do they work? And do they solve the problems we’ve been told they do, namely improving performance and reducing resource usage? In this post I’ll explain what these two technologies are, what they can and can’t do for the mesh, and how they do — and do not — work together.

Envoy Proxy & GetEnvoy, Istio, Tetrate

How Tetrate Service Bridge Workspaces Ease Service Mesh Implementation

“All problems in computer science can be solved by another level of indirection.” – David Wheeler

Service mesh is an architectural construct designed to ease software development and delivery in a microservices environment. Making service mesh work at scale requires some new thinking and the introduction of a few new abstractions.

Here at Tetrate, we have been working on service mesh – its opportunities and its challenges – as long as anyone around. This work is based on our founders’ and key employees’ existing and ongoing roles as founders and maintainers of the open source projects that are most widely used in service mesh implementations: the Envoy proxy, Istio service mesh software, and the Skywalking observability project.

To complement the open source projects, and to create a complete solution, we created Tetrate Service Bridge (TSB). TSB adds a highly functional management plane to service mesh implementations, collaborating with Istio as the control plane and Envoy as the data proxy.