Envoy-Based Application-Level Security and Observability

Gain application-level observability and secure service-to-service communication within your Kubernetes cluster, without the operational complexity and performance overhead of a service mesh

Application Layer Observability | Tigera 1


Get application-level observability with Envoy integrated as a daemonset into your data plane and high-performance, data-in-transit encryption using WireGuard. Detect anomalous behaviors like attempts to access applications or restricted URLs, and scans for particular URLs. Meet organizational and regulatory compliance requirements for application protection. Developers and platform operators get application-level information such as transaction/request throughput, error rates, and latency metrics in an interactive and customizable dashboard to monitor and troubleshoot connectivity issues, identify performance hotspots, and detect operational anomalies without the operational complexity of service mesh.


Best-in-class encryption

Lower performance overhead

Reduced operational complexity

Secure access and authorization

Key Features

  • Provides a centralized, all-encompassing view of service-to-service communication within a Kubernetes cluster. Have purpose-built visualizations showing the communication between the logical hierarchy of namespaces, services, and deployments.
  • Eliminate sidecars with Envoy integrated directly into the data plane. Minimize resource consumption by generating and aggregating observability data in the form of log data at the source on each node in the cluster. Meet security requirements while maintaining observability with high-performance, low overhead, encryption for data-in-transit with WireGuard.
  • Provides Kubernetes-specific metadata in logs and metrics with zero configuration overhead (i.e. eliminate setup tags and pod annotation).
  • Leverages state-of-the-art encryption with WireGuard to secure workload communication within a cluster without the operational complexity of managing and deploying certificates.
  • Using WireGuard, remote write into secure network tunnels that are implemented in a simple way, extremely performant, make use of state-of-the-art cryptography, and remain easy to administer compared to IPsec. Authorize secure and faster access to the environments in highly performant and fewer steps as per organizational policies.

How It Works

1. Leverages WireGuard for high-performance data-in-transit encryption to meet internal data security or regulatory requirements.

2. Delivers a single pane of glass view of all application-layer traffic, broken down by services, response codes, performance metrics, and API calls with the addition of log data rich with application-level context.

3. Provides flow log data with Kubernetes-context information:

  • Source and destination namespace
  • Average and maximum request duration
  • Request URL
  • Response code
  • User-agent
  • Method and status code (e.g. HTTP)
  • Bytes sent and received
  • Source and destination type (pod, networkset, etc.)
  • Request and response latency



Learn More

Free eBook


Solution Brief

Learn More