How VMware Tanzu Service Mesh measures up to open source
VMware offers Kubernetes on vSphere, but the vendor still has work to do to make vSphere ideal for modern applications. Kubernetes enables applications to run in containers at scale for microservices-based applications, but users must combine a collection of microservices to create a full application — which is one role of a service mesh. VMware now offers Tanzu Service Mesh for vSphere users running Kubernetes containers.
Security is another common service mesh function. A service mesh can manage the isolation of microservices that should not communicate, restrict communication of those that should and validate that each microservice is not malicious. Service meshes also enable you to monitor both your application as a whole and individual transactions as they pass through the application.
For public cloud providers, service meshes look familiar, but many organizations that begin to develop microservices-based applications on their own might have to develop systems to help them build those applications.
The open source service mesh
One way to build a service mesh is to combine the open source tools Istio and Envoy to manage the interactions between microservices.
Microservices run as containers on a Kubernetes cluster. The service mesh then assembles those microservices into an application. Envoy manages network traffic that moves in and out of containers and verifies trust between containers. It operates as a “sidecar” container to each microservice container, and all network traffic in and out of that microservice container must first go through the Envoy container.
Envoy acts like a firewall for the container, and allows only known network traffic in. Istio, meanwhile, acts as more of a control plane. It sets policy for Envoy and provides application-level services.
Together, Istio and Envoy work well as a service mesh; however, both tools have complex setup and operation requirements. This complexity provides an opportunity for software vendors such as VMware to offer a more enterprise-ready offering, as most organizations prefer to buy prepackaged software rather than assemble a service mesh from parts.
VMware’s latest offering: Tanzu Service Mesh
VMware’s Tanzu portfolio aims to centralize management for hybrid and multi-cloud applications, and Tanzu Service Mesh — announced when VMware released vSphere 7 — provides one more factor to this equation. The vendor built Tanzu Service Mesh with the help of Istio and Envoy, so the offering closely resembles a standard, open source service mesh.
A significant difference between Tanzu Service Mesh and an open source service mesh is that Tanzu operates consistently across multiple Kubernetes clusters, rather than being limited to a single cluster. With a single service mesh that spans multiple Kubernetes clusters, an organization can deploy applications that span from on-premises to one or more public cloud providers.
VMware Tanzu Service Mesh is said to be easy to deploy and operate, so businesses can build hundreds of microservice-based applications and deploy them on whatever cloud or on-premises platform best suits each application.
How NSX factors in to Tanzu
VMware also released an NSX Service Mesh, which handles network isolation, security and trust. It appears that Envoy handles these tasks for VMware Tanzu Service Mesh — likely because Tanzu Service Mesh came as a result of VMware’s acquisition of Heptio, an open source Kubernetes management service provider.
NSX is not open source. Therefore, it was unavailable to the Heptio team before the acquisition. VMware has recently implemented new changes to NSX, but NSX Service Mesh does not yet have Envoy’s full feature set. Moving forward, VMware might implement NSX as a replacement for Envoy in its Tanzu Service Mesh.