Tetrate Application Gateway

Why use Tetrate Application Gateway?

Without Tetrate Application Gateway, Platform Teams need to manage and coordinate a complex network of application delivery, security and discovery tooling. They need to build their own automation to support tasks such as publishing an application, and the automation may need to span several teams or domains. Contemporary technology is ill-equipped for modern application needs; inconsistent APIs and observability makes automation difficult; IP-based security rules are challenging to manage and coarse-grained.

As a result, the application publishing process is slow and disjointed, resulting in a poor experience for Application teams. Innovation and change is slowed, and responding to customer needs takes longer and is more costly.

For example:

• A large Fintech organization reports that it typically takes 1-2 weeks from sign-off (permission to publish) to publishing an application, requiring the coordination of multiple teams. Their goal is to make this process self-service with a turnaround of less than 30 minutes.
• A manufacturing organization reports that when they expose an application from an individual location (e.g. manufacturing plant), they need to coordinate over 200 firewalls and over 1m IP-based firewall rules. Despite this investment, the firewall rules are imprecise and challenging to maintain
• Another fintech organization reports that their existing application delivery platform, built on legacy ADC technology, is expensive to operate and updates to that platform will be extremely disruptive, giving them an opportunity to look to other approaches
• Many customers report that their existing observability and troubleshooting workflows are disjointed, as they need to collect and reconcile data across multiple different management planes and vendor-specific solutions

By enabling Platform Teams to provide safe, compliant workflows that allow Application Owners to publish and manage traffic to their applications, businesses can unlock greater agility and lower operational costs. This will allow them to respond to changing external requirements more quickly, and provide a much higher level of internal developer satisfaction.

The idealized application delivery architecture

An idealized application delivery platform brings together multiple vendor solutions, and is often presented in a linear fashion:

Even in this idealized architecture, the problems are apparent:

• Coordinating configuration for multiple devices across multiple teams (Security, Platform, SecArch, etc)
• Uncertainty where certain solutions e.g. firewalls are complex to configure and are not service-aware (meaning the configuration is imprecise)
• Risk of impacting other applications running on the infrastructure, or opening security holes
• Lack of end-to-end automation, meaning ticket-based operations and manual configuration

A realistic application delivery architecture

In practice, the platform is far from linear:

• It scales horizontally as it spans multiple deployment environments across clouds and on-prem infrastructure
• It multiplies in complexity as it considers how to support multiple application types - containers, VMs, bare-metal, external services
• The perimeter is challenging to police, as the platform must cater for external users, partner applications, internal users and internal East/West traffic

• Multiple, uncontrolled Entry Points for different clients (internal, external, partner, mobile)
• Multiple Edge and Many App environments
• Multiple deployment environments (cloud, on-prem, hybrid)
• Multiple Application Types (VM, Container, Serverless, Bare Metal, External Service,...)
• … with complex segmentation and complex ownership

The result is expensive complexity

When deploying a new app, or adding a new entry point, there are:

• Too many vendors, …
• Too many management planes …
• Owned by too many teams …
• Shared between too many other apps …

... all awkwardly applied to the task at hand - to manage traffic for apps

Users typically report symptoms such as:

• Slow Rate of Change: we see deployments taking upwards of 7 days
• Manual, Ticket-based Processes: automation does not cover everything, and checks and balances are needed
• Frustrating Decision Process: too many questions, imperfect answers, too much coordination required; frustrating for App Owners and Developers
• Inexact Security: despite the need for precise segmentation, security tools rely on IP addresses which identify environments, not workloads
• Fragile Configuration: massively-shared configuration using imprecise nouns means every change is fraught with danger

... all amplified by further by the needs for Segmentation, Application Mobility, HA/DR/Resilience, and Consistent Observability

With Tetrate Application Gateway

With Tetrate Application Gateway, the 'middle layer' from Edge to Application can be replaced by a single solution build on mesh technology with a single control and observability plane:

Tetrate Application Gateway can be deployed on top of the existing infrastructure, taking on the roles of firewalls, routers, api gateways and load balancers:

• Edge Load Balancer to publish apps securely for external access, providing a secure perimeter
• Internal, mesh routing based on service identity and mTLS provides security, segmentation and high-availability
• Transit Gateways to connect disconnected environments securely and easily
• App Gateways to expose services to the mesh, and provide the required API-Gateway and traffic management capabilities
• DNS Integration to coordinate DNS and GSLB configuration with application availability and health

With Tetrate Application Gateway, you will see:

• Clear demarcation between Platform and Application Owner jobs-to-be-done
• Integrated security, routing, observability from Edge to Application
• Fine-grained and dynamic security, based on service identity (not IP address)
• Simple UX for Application Owner using pre-defined, declarative pipeline that can be tuned by Platform Owner
• Rich, native integration with modern cloud-native tooling (observability, DNS, etc)

The benefits include:

• Superior, simple application owner experience
• Control remains with platform owner, in the form of templates and guardrails that are applied automatically
• Simple integration with firewall, load balancer and other devices, with no need for per-application configurations

Application teams will be more reactive and productive. Applications can be deployed to production and exposed in a matter of minutes, not days. Troubleshooting and performance analysis is built-in to the platform, so complex integrations are not required.

In summary

Tetrate Application Gateway begins with a hosted management plane, making it very quick to stand up the solution and see initial benefits.

Platform Owners deploy edge gateways into locations of their choice. Edge Gateways serve as the initial ingress point into the infrastructure, and forward traffic to a secure, internal mesh. Edge Gateways can be integrated with common DNS providers, so that when a new service is exposed or is migrated, the correct DNS configuration is maintained at all times.

Application Owners are given the ability to onboard applications from their deployment locations, expose these applications to the internal mesh, and then publish these applications through selected Edge Gateways. All activities are governed and limited by security and compliance policies defined by the platform owner. They publish applications, observe metrics and traces, and troubleshoot services using the rich User Interface, complete APIs, and powerful GitOps and Kubectl integrations.