Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

Announcing General Availability of Gloo Network

Keith Babo,  
Nadine Spies 
| October 18, 2022

We are excited to announce that Gloo Network has reached General Availability with the release of Gloo Platform. Gloo Network builds on our initial support for Cilium as a CNI provider to integrate the Kubernetes CNI layer as a first class component of Gloo Platform, providing customers with market leading support for security, observability, and resiliency across all layers in their application network.

Gloo Network Use Cases

Gloo Network extends the reach of Gloo Platform to a new set of customer use cases, including:

  • Implementing strict network-level isolation for L4 traffic with no specific L7 requirements
  • Service graph visualization and L3/L4 observability without the need for proxies
  • Leveraging eBPF for network performance (iptables and TCP/IP traversal) and observability
  • Building a defense-in-depth architecture with zero trust security by combining L3/4 network policies in the CNI with L7 application policies
  • Establishing tenancy boundaries based on L3-L7 policies to implement service isolation
  • Scaling application network policies and observability across multi-cluster deployments

Let’s explore the features that you get with Gloo Network as a standalone CNI, and when using Gloo Network together with Gloo Mesh

Gloo Network Features

Gloo Network integrates with the core networking capabilities of your platform via the Kubernetes Container Network Interface (CNI). With an implementation of network policy provided by the CNI, platform teams get advanced Layer 3 and 4 security without modifying their application code or the configuration of their application containers. Gloo Network automatically discovers the CNI provider, monitors CNI health, and tracks network policies defined in the CNI layer. These features enable platform teams to gain advanced management and monitoring capabilities for their networking stack as a turn-key operation.

We are seeing a tremendous surge in interest within the cloud native community in eBPF and Solo is fully committed to maximizing the value of eBPF in your application network. Solo has been working on multiple fronts to bring the power of eBPF to our customers:

  • BumbleBee provides a cloud-native toolchain to create, build, run, and distribute eBPF programs across your environment 
  • Providing support for L3/L4 network policy and observability through Cilium brings eBPF support directly into the CNI, eliminating the need for iptables-based routing and optimizing traversal of the network stack for inter-service communication on the same node 
  • We have created eBPF-enabled optimizations for Istio sidecar acceleration that offer immediate benefits to Istio users with sidecar-based architectures today. This innovation becomes even more substantial in Ambient architectures when accelerating communication through the node-based zTunnel proxy

 

With all these advancements and more to come, Gloo Network provides a safe and scalable foundation for leveraging eBPF in your application network.

With Gloo workspaces, you can define the boundary of Kubernetes resources that your team has access to. These resources can be spread across namespaces or clusters. Gloo Network policies are automatically translated and applied within the workspace’s boundaries. You can optionally turn on service isolation to automatically prevent services from one workspace to be able to communicate with services in a different workspace.

Gloo Network plugs seamlessly into the Gloo Platform management plane to provide a single pane of glass across multi-cluster environments. Users can view CNI discovery, health, and network policy details across clusters in the Gloo Platform UI, including a service graph and eBPF-enabled metrics for each service.

 

Better Together: Gloo Network and Gloo Mesh Enterprise

Layer 7 Policy

Although Cilium has support for Layer 7 policies, these policies require starting an Envoy proxy process in the Cilium agent and sharing that instance for all Layer 7 policies on the node. Lin has an excellent blog that explores some of the important tradeoffs and limitations with this approach in comparison with Istio. To overcome these limitations, you can use Gloo Network in combination with Istio in sidecar or Ambient mode managed by Gloo Mesh. With this approach, you get advanced security controls, connectivity, and observability at Layer 7 while optimizing the performance in your service mesh with eBPF.

Defense in Depth

Another advantage of using Gloo Network with Gloo Mesh is the ability to create a multi-layer defense mechanism that protects your apps from being compromised. Gloo Mesh offers a variety of Layer 7 traffic policies that you can apply to your service mesh in addition to the Layer 3/4 network policies that Gloo Network offers to increase the security posture of your apps. For example, you can create L7 policies such as external auth, rate limiting, fault injection, outlier detection, retries, timeouts, mirroring, transformation, WAF, Wasm, and more. By combining both worlds, you can address many different attack vectors. If one layer is compromised, your apps are still protected by policies that are enforced on other layers. 

Multi-cluster control plane and data plane

Scaling network and application policy, observability, and resiliency across multiple clusters requires a management plane and data plane that are multi-cluster aware. Gloo Platform provides a centralized management plane that can be used to manage service isolation and access policies across workloads spanning multiple clusters. Combining Gloo Network with the east-west gateway architecture of Istio and Gloo Mesh, customers can also create a secure, flexible multi-cluster data plane without requiring flat network topologies.

Get Started Today

Now that you know the value that Gloo Network provides in Gloo Platform, it’s time to roll up your sleeves and dig in! The following resources are a great next step in your journey:

 

BACK TO BLOG