The best part about containers is they are ultra-portable. They can be layered like a cake to build brand new images. A container image from the internet can be taken and used to add a new binary to build something custom. That's the appeal of containers. However, this means application development teams can download images from anywhere on the Internet and build new images inheriting vulnerabilities.

Getting the services on one cloud to work with services deployed on a different cloud can be challenging.  Every cloud has its own methods of configuring networking and the complexity can be daunting.  It can be difficult manage the protection of your data in flight all the way from the source application to the destination and back. 

Tanzu Service Mesh  makes the process of connecting applications running across clouds simple for operations and applications teams by grouping all those services into a global namespace that spans multiple clusters.  By leveraging open source projects like Istio, Tanzu enables applications to discover remote services through DNS.  It routes network traffic to remote clusters, and manages mTLS encrypted links between clouds that ensure your data is always protected without having to implement mTLS directly in the application layer itself.

• Tanzu Service Mesh Integration is already enabled. For reference this is done by simply clicking 'Actions -> Tanzu Service Mesh -> Add' on your cluster.
• Enable Tanzu Service Mesh on all namespaces.
• Click on the link for 'Tanzu Service Mesh' from under Integrations widget to open Tanzu Service Mesh, once it is available. For the purpose of this demo, we will study two pre-staged clusters in more detail on TSM.

• Click on 'Home' from the left hand side navigation pane
• Click on 'GNS Overview'
• Click on 'acmefitness'

A global Namespace defines the logical security boundary of an application running across multiple Clusters/Cloud. Once a Global namespace has been created a CA domain and automated mTLS Encryption is enabled for all the microservices in that domain.

This application is running on one cluster running on TKG in vSphere ('vsphere-pf-demo') and one cluster that is running in GKE ('gke-tsm')

We have an ingress gateway that is the main ingress for the application ('istio-ingressgateway').  The 'catalog' service is running in the 'vsphere-pf-demo' cluster, and that we can see an mTLS protected, cross-cluster link between the 'shopping' service and the 'catalog' service.  No special rules had to be created to enable this and this link is being completely managed by Tanzu Service Mesh.

Hover over the 'catalog-mongo' service name in the graph and show the performance stats. The value of exposing these KPIs right in the Service Mesh interface is to speed troubleshooting.

And there you have it! Tanzu Service Mesh lets you create global services across clusters and enable mTLS between services.