Tigera Marries Container Networking to Service Mesh

All the technologies required to deploy containers in the enterprise can be a bit overwhelming to consume. With an eye toward making that easier to achieve Tigera has launched Tigera CNX, a commercial offering that combines its pioneering open source Project Calico container networking software with the open source Istio service mesh technology developed by Google, IBM and Lyft.

CEO Ratan Tipirneri says Tigera CNX is optimized for cloud-native applications based on Docker containers that would be deployed on top of an instance of the Kubernetes container orchestration engine. Collectively, Tigera CNX reduces much of the complexity associated with deploying microservices on top of Kubernetes, says Tipinera.

In many ways the challenges IT organizations face when managing microservices are not that much different than what was encountered when IT departments were trying to master web services technologies with in the context of service-oriented architecture. Some might even contend that a services mesh is a lighter-weight version of a classic proxy server.

Tipineri says Tigera CNX advances that goal by combining Istio with Project Calico to create zero-trust approach to securely deploying a microservice. Dubbed ZT-Auth, Project Calico employs this zero-trust security model across virtual machines and bare metal servers running on premises or in a public cloud, including all the access controls and encryption employed to secure all the data moving between microservices.

That security layer built into into Calico enables DevOps teams to define easily which connections are allowed and which are not using rules that implement and extend the Kubernetes Network Policy application programming interface (API). IT uses a distributed algorithm to calculate which rules are required on each node in the cluster and updates them dynamically as workloads are created and terminated. That’s critical because of the ephemeral nature of most microservices based on containers. Calico, meanwhile, routes packets from the workload onto the underlying IP network without any extra headers. Whenever there is a need to move beyond application boundaries, Calico employs lightweight encapsulation using an IP-in-IP connection or virtual network as an overlay.

Most IT organizations today are not likely to have the skills in place to master Kubernetes as well as Calico and Istio. Tipineri says in addition to making these technologies easier to consume, IT organizations will also be able to leverage the expertise of Tigera to help manage them.

The fundamental difference between microservices and previous SOA efforts is that adoption of microservices is being driven primarily by developers. SOA, for the most part, was an exercise in best practices driven mainly by internal IT departments. Microservices apply many of the same concepts across smaller amounts of code. But some variant of the software infrastructure that was used to manage SOA deployments now needs to be reinvented to support cloud-native microservices based on containers.

Naturally, it’s still early days when it comes to network overlays and service meshes. There already are multiple approaches to container networking and service meshes that support containers. But Tipineri says the sooner IT organizations come to terms with both technologies, the easier it will become to drive adoption of containers and microservices across the enterprise.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1189 posts and counting. See all posts by Mike Vizard