MASC Multi-cloud Application Security Lab Guide (beta)


About MASC - Multi-cloud Application Security with Tanzu Service Mesh, Avi AKO/GSLB and Antrea-NSX Lab

Introduction to Multi-cloud Application Security Lab running on multiple cloud providers including Tanzu Kubernetes Grid for on-premise SDDC to Public clouds (EKS,AKS,OKE,GKE). In this lab, you can hands-on Tanzu Service Mesh, Avi AKO/GSLB and Antrea-NSX security features by yourself running on multiple Kubernetes clusters on different Public cloud operations. You will experience how we can easily solve North-South and East-West Security challenges on customer multi-cloud environment and more.

Tanzu Service Mesh (TSM) provides end-to-end connectivity, resiliency, security, and insights for modern applications running in single and multi-cloud environments. Tanzu Service Mesh is a leader in service mesh innovation – providing policy control and visibility across end-to-end communications from application end-users, to services and APIs, and data – enabling compliance with service level objectives (SLOs) and data protection and privacy regulations. 

Tanzu Service Mesh (TSM) provides strong, multi-cloud, easy-to-operationalize network defenses that secure application traffic within and across clouds. TSM makes it easier for you to enable Zero Trust application access across multi-cloud environments—so you can secure traffic across applications and individual workloads with security controls that are consistent, automated, attached to the workload, and elastic in scale. 

This lab is intended for intermediate to advanced-level users exploring VMware Tanzu Service, Antrea CNI and Avi AKO/GSLB use cases, helping you to explore security concepts and plan with TSM.

How Tanzu Service Mesh works

This lab will use a scenario involving TSM which provides advanced, end-to-end connectivity, security, and insights for modern applications — across application end-users, microservices, APIs, and data. TSM provides service mesh capabilities across single and multiple clusters, clouds, and data centers. Teams can build application resiliency and data security policies and bake security testing into their existing DevOps toolchain, ensuring application high availability, performance and secure transactions. In addition to rich application performance metrics and security visibility, it offers application and data-level security policies — for example, attribute-based access control (ABAC) policies, end-to-end encryption policies, and API segmentation, parameter validation and threat protection policies.

Enterprise-grade, integrated load balancing, ingress and container networking. With TSM, platform and IT operators can easily implement container ingress services, including L4-L7 local and global server load balancing (GSLB), web application firewall (WAF), DNS, and IPAM in a single platform across any cloud. In addition, it has built-in container networking leveraging Antrea, making it easy for platform operators to apply and change network policies to run applications without the risk of disruptions and with guaranteed security enforcement into each cluster. Application moder

Let's now see how Tanzu Service Mesh (TSM) and Modern App Security (Antrea/Avi AKO/GSLB) Lab Guide can help prevent and protect against these attacks.

Section 1: Before You Begin 

1.1 Access to the Lab

To login to the environment, perform the following steps:

  • First, open a web browser of your choice (Incognito recommended) and navigate to vmtestdrive.com. Select LOG IN.
    If you do not already have an account please reference the instructions found here.                   
    Note: we only support customer sign up with their corporate email - do not to use personal email like Gmail (if doing so, no email activation will be sending out).
  • If you are signing in for the first time and don’t have a TestDrive account, click GET STARTED and follow the instructions for creating your TestDrive portal account.

  • Enter your TestDrive Username and Password and select ENTER.

  • Locate the Multi-Cloud Security product under the Intrinsic Security tab and click Launch. Make sure that you open Multi-cloud Application Security Lab and refer it on a separate tab.

In case of long idle or got disconnected, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox.  

  • A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
    Note: Please provide the short username (not your email ID) and password to login.


  • Click on Apps section and search for the NSX-TSM desktop and launch it.
  • Now you'll be on the Multi-Cloud Security desktop. At this point you can begin the walkthrough steps listed in the next section.
1.3 Access Tanzu Service Mesh GUI

Double click on the TSM-Autologon icon in the desktop to launch Tanzu Service Mesh

While Tanzu Service Mesh Launches, do not press any key or click mouse.

Section 2:  Modern App Security with Tanzu Service Mesh

In this section, we will walk you through the core component of how easily TSM can secure the communications between services and the automation framework (APIs). This is  important service as more and more more distributed modern applications required for their inter-communication between services compared to monolithic environments. Ops teams need to be able to monitor and remediate automatically security threats. Existing workloads should easily be protected without interruption.  In this section, you will learn: 

-The key security concerns and challenges in a modern apps, multi-cloud environment

-How VMware Service Mesh can address the modern app security challenges by securing communications as well as services and data while it’s being processed.

The technologies covered by our VMware Service Mesh TSM include end-to-end encryption, mTLS, API security, runtime protection, container isolation, how to monitor and remediate to security threats.

2.1 TSM GNS Overview

Global namespace, a unique concept in Tanzu Service Mesh, defines an application boundary. A    global namespace connects the resources and workloads that make up the application into one virtual unit to provide consistent traffic routing, connectivity, resiliency, and security for applications across multiple clusters and clouds

Lets start reviewing the ACME Global Namespace in the TSM console.

1.  Click on Home -> Under GNS Overview ,                                                                                        

  • Click on three dots and select Edit  "Global Namespace"

2. Review the ‘GNS Name’ and Domain name for GNS. Domain provides automatic service   discovery and manages service identities within that Global Namespace. Click on Next

3. Observe Namespace Mapping Rules - It defines the services included in Global Namespace.

  • prod-tanzu-tkg-dc01 is the first On-Prem Kubernetes cluster and Name space mapped is  acme-app. Front-end of the application with shopping micro service is deployed on this cluster.
  • prod-tanzu-tkg-dc02 is the second On-Prem Kubernetes cluster and Name space mapped is acme-app. Backend application Database with catalog micro service is deployed on this cluster

4. Click on Next to navigate to Auto Discovery.

  • API Discovery  Observes and monitors traffic between services in the GNI and configure API Security Policies.
  • PII Data Discovery  Observes and monitors traffic between services in the GNI and configure Data Security Policies.

5. Public Services  It is a way to expose a service outside its Global Namespace to enable external users to access the services.

  • Service Name  It is the service we want to expose it to the external users for accessing the application
  • Service Port  Port number where application service uses for connection
  • Public URLs  Url available for external users to make a request to the application

6. GSLB & Resiliency  Defines Global Load Balancing Scheme, Health checks & High availability for public services in the GNS.

2.2 TSM GNS Topology

1. Click on Home. Under GNS Overview click on acmegns

2. Observe the properties of Global Namespace like health status and security type. After that   scroll down to GNS Topology

3. TSM generates a topology graph dynamically by observing the traffic flow between services in the GNS. The topology shows three key metrics of services.

  • The Services incoming requests per second(rps)
  • The Error rate, that is percentage of failed requests to the service
  • The 99th percentile latency of requests processed by the service.

Prod-tanzu-tkg-dc01  On-Prem Kubernetes cluster with frontend services of ACME Shopping Application.

Prod-tanzu-tkg-dc02 - On-Prem Kubernetes cluster with backend catalog services of ACME Shopping Application.

The connection between the shopping service in cluster01(Prod-tanzu-tkg-dc01) and the catalog service (Prod-tanzu-tkg-dc02) shows the traffic flows between them.

2.3 TSM Access Control Policies

A service group is a collection of services in the Global Namespace. We can observe the aggregated metrics for the services in the group or consistently enforce policies across the service group.

Service groups serves two main purposes:

  • To monitor relevant metrics such as ‘requests per second’, ‘latency’ & ‘error rate’ across the services in the group.
  • We can also define & apply consistent Access control polices to the entire service group.
  1. Click on Security under GNS Topology.
  • An access control policy is applied between frontend service group and catalog service group.

2. Click on frontend-catalog to review the policy.

  • Shopping service added to the frontend group and Catalog service added to the catalog group.
  • Click on edit policy to view the detailed Access Control Policy configuration

3. Review the Access Rules of Access Control Policy between the service groups.

  • Policy Name  Name of the policy for Access rule.
  • GNS Scope  Global Namespace scope, under which service groups are created
  • Source and Destination Services  Drop down will list all the services groups created under specified GNS scope, Service group can be selected as per the requirement.
  • Policy Intent  Define the type (Allow/Deny) of traffic using drop down All Traffic, Specific TCP Connections, Specific HTTP Requests. Click on cancel after reviewing.

Note: For creating service group navigate to Inventory -> Service Groups

2.4 Acme Shopping Application API Overview

1. Click on APIs, select shopping service and open it to view all the APIs.

2. Observe the shopping service topology under service dependencies.  

  • Service Topology depicts the traffic flow between the Shopping service to all other connected services via APIs.
  • Under APIs & Connections, All the incoming API methods and Path are listed.

Click on any API(/products). All the API data like Schema and logs are available

3. You can use the topology to understand about all the APIs involved and to determine the key security events.

  • API Overview  Contains Key security events, Top errors, latency information.
  • API Schema consists of Request information, API Response code and JSON data of Schema.
  • All the API traffic logs data is recorded between source and destination services.

   Click on back button twice to navigate GNS Topology under acmegns namespace

2.5 TSM PII Data Discovery

Tanzu Service Mesh discovers the components of the application, APIs, PII data and application users. It then learns the behavior of application and creates a baseline of normal behavior.

1. Click on PIIs, we can see GNS topology with no PII data detected. Let’s place an order in ACME shopping application to visualize how PII data is automatically captured and presented within the topology.

2. Open the ACME fitness shopping application in chrome.

  • Open google chrome and access the application and place the order of an item of your choice.
  • http://shopping.vmware-demo.net
  • Select any item from catalog and add to cart
  • Click on Item s IN CART on top right corner of the window.
  • In shopping cart, click on Proceed to Checkout.
  • Under Checkout-Address, Provide the required information as shown below and click on Continue to Delivery Method
  • Continue to Payment Method and populate the payment information as shown below and click on continue to order review
  • Under order review, proceed to place an order as a final step to complete the order placement

3. Navigate to TSM console to review PII data under GNS Topology.

  • In the GNS topology the data flow between the services is highlighted
  • The PII data traffic in each microservice from beginning to the end is captured.
  • How the application handles sensitive PII data, which services are involved in total transaction is shown.
2.6 TSM Attack Discovery & API Security
  1. Click on Attacks under GNS Topology.

2. Click on shopping service to view the detailed overview of security events and APIs involved in the attack.

  • Under service dependencies select Attacks.
  • Under Incoming APIs click on /Products API to navigate to security events.
  • Under API Overview security analytics provides total security events with PII and Attacks detected data.
  • Scroll down to security events. Observe the Timestamp, severity, Event title, Destination Service and Attack information for each attack.
  • Post reviewing the events, Click on Home.

3. API security policies are to secure and segment the applications against API and deep payload layer threats. TSM’s Global Namespace construct, to offer discovery, detection and behavioral security and observability capabilities across multi-cloud environments.

  • Under Home Expand Policies > Click on API security under Policies
  • In API Security, under acmegns, Click on three dots next to shopping and select Edit Configuration
  • API security policies offers to enforce consistent policies with Access control, PII Data Security, Attack defense and schema validation.
  • Observe the type of actions allowed for each security policy.

2.7 TSM Security Threat Remediation (tbd)

Tanzu Service Mesh helps teams overcome the performance and security visibility gaps resulting from distributed microservices architectures and adoption of multiple platforms and clouds. Operations teams have access to rich troubleshooting tools, including multi-cloud topology maps and traffic flows, performance and health metrics, and application-to-infrastructure correlation.

Section 3: Container Networking with Antrea and NSX-T (beta)

This section will allow you to experience steps which are too time-consuming or resource intensive to do live in the lab environment.

Next, we will  will showcase how easily the MASC VMware Modern App Security Connectivity which includes Tanzu Service Mesh, Avi AKO, Antrea-NSX and CB container can help you as customer navigating through this transition of their multi-cloud journey. The technologies covered include end-to-end encryption, mTLS, API security, runtime protection, container isolation, and how to monitor and remediate security threats with full security stack defense in depth from layer 2 to layer 7 from an on-premises data center to multi-cloud data centers. 

Also securing the communications between services with API Security is more important with more distributed applications compared to monolithic environments thus DevSecOps teams need to be able to monitor and remediate automatically security threats.You will learn the key security concerns and challenges in a modern apps, multi-cloud environment (coming soon)

Section 3: Connect and Secure your Apps with Antrea and VMware NSX-T (coming soon)

Section 4: Networking with Avi (coming soon)

Section 5: Carbon Black Container Integration (coming soon)

Section 6: TMC,TSM,WCP, TKG in Multi-Cloud (coming soon)


Tanzu Service Mesh is an enterprise-class service mesh that helps solve the challenges associated with deploying a distributed microservices application by providing service-mesh functions across multiple clusters and clouds.

Tanzu Service Mesh provides service mesh capabilities for resources in a distributed application by arranging these objects in a logical group called global namespace. A global namespace is not tied to a single cluster and connects resources between two or more clusters. Each global namespace manages service discovery, observability, encryption, policies, and service-level objectives (SLOs) for its objects regardless of where they reside - in multiple clusters, sites, or clouds.

By abstracting the service mesh from the physical boundaries of a single Kubernetes cluster and a single cloud, and by extending the scope from service-to-service communication to users-to-service-to data communication, Tanzu Service Mesh is able to control, secure, and operate applications, no matter where their components are deployed.

Additional Resources

VMware Security on Tech Zone and Hands-on Lab

Contact us: nsxtestdrive@vmware.com

Previous Article VMware NSX Advanced Load Balancer (Avi Networks) - Quickstart
Next Article NSX-T 3.2 Security Lab Walkthrough