Gloo Mesh 1.1 and Gloo Mesh Gateway 1.0 in Detail
Today, the Solo team released Gloo Mesh 1.1, integrated with Gloo Portal for GitOps and CI/CD, and introduced Gloo Mesh Gateway, the first fully-featured enterprise API gateway built on Istio. Solo was first to deliver a full-featured developer portal for Istio with Gloo Portal and now with Gloo Mesh Gateway, Solo is the first to offer a complete API gateway with Istio. This is a big release.
In this release, you can see that Gloo Mesh is becoming the single enterprise platform for all your service mesh needs. We wanted to go a little more in depth on how we have enhanced Gloo Mesh with an API gateway and a developer portal built on Istio as well as provide more details on the new features.
A Full Featured Istio API Gateway
We took our years of experience building and supporting in production the popular Gloo Edge gateway on Envoy Proxy and implemented that directly onto the Istio Gateway. No longer will Istio users need to set up one control plane to help with Istio and another one entirely for gateway traffic. With Gloo Mesh Enterprise, they get one product that can do both.
The best way to understand which features we are adding on top of Istio is to understand the difference between a service mesh and API gateway for different use cases. Our Field CTO, Christian Posta, wrote a very popular blog on the topic, Do I Need an API Gateway if I Use a Service Mesh?
There is some overlap between the two as well as some differences as you can see in the chart below.
|Capability||Service Mesh||API Gateway|
Gloo Mesh Gateway is focused on expanding on this base of core capabilities to deliver full API gateway functionality in an Istio-based service mesh.
|Capability||Istio Ingress||Gloo Mesh Gateway|
|Proxy external traffic to mesh workloads||Yes||Yes|
|Basic Security (JWT, TLS, CORS)||Yes||Yes|
|Advanced Security: WAF, DLP||No||Yes|
|Advanced Authentication out of the box – OIDC, API Keys, LDAP…||No||Yes|
|Advanced Rate Limiting||No||Yes|
|Advanced Traffic Routing and Shaping||No||Yes|
|Automatic Service and API Discovery||No||Yes|
|API Developer Portal||No||Yes|
Major Features of Gloo Mesh Gateway, an Istio API Gateway
- Advanced rate limiting – Rate limiting is a key feature of API gateways. For Gloo Mesh Gateway, we took the advanced rate limiting features we have in Gloo Edge and ported them directly to Istio. Currently, Gloo Mesh Gateway supports North-South advanced rate limiting but East-West rate limiting will be added to the generally available product in weeks. Gloo Mesh Gateway gives users a consistent API for both North-South and East-West rate limiting.
- External authentication – API gateways act as a control point on incoming connections requesting access to the various application services running in your environment. In microservices or hybrid application architecture, any number of these workloads need to accept incoming requests from external end users (clients). Incoming requests are treated as anonymous or authenticated, depending on the service. You will usually want to establish and validate who the client is and what service the client is requesting, along with any access or traffic control policies. Gloo Mesh Gateway provides the mechanisms for authenticating and authorizing requests.
- Multi-cluster ingress – Multi-cluster ingress is a common use case but also requires sophisticated engineering. With Gloo Mesh Gateway, you can easily configure multiple ingresses across multiple clusters with one VirtualGateway resource that essentially aggregates that ingress management.
- Delegation – While it is possible to define routes for a domain in a single configuration resource, this becomes burdensome when there are a large number of routes. Delegation allows a complete routing configuration to be assembled from separate config objects. The root config object delegates responsibility to other objects, forming a tree of config objects.
- Single-pane-of-glass observability – Gloo Mesh Gateways work seamlessly with the observability platform already shipped in Gloo Mesh Core. There is no extra work to monitor the gateways resources, and you also get the user experience enhancements to the graph that we cover in the Gloo Mesh section below.
- Different gateways for different namespaces – Organizations want to separate North-South and East-West gateways in different namespaces for security, high availability and other use cases. Gloo Mesh Gateway allows for this configuration with the latest release.
We will also have transformations such as Data Loss Prevention (DLP), Web Application Firewall (WAF), and SOAP/XSLT for Istio in our generally available Gloo Mesh Gateway release.
New Gloo Mesh Core Features
- Gloo Portal integration with Gloo Mesh and Istio – Gloo Portal now integrates directly with single cluster use cases for Gloo Mesh with Istio. Organizations can now catalog, share, and manage their APIs for their Istio-connected services in a self-service portal to enable GitOps and CI/CD. In the upcoming weeks, Gloo Portal will add the full multi-cluster support for Gloo Mesh and unlock the potential of multi-cluster, multi-mesh API management.
- An additional version of Istio in long-term support – Currently the open source community only supports N-1 versions of Istio, but enterprise customers require longer-term support. Previously, we had committed and built out our Istio pipeline for N-3 but we have had customers that required even more versions. So we now support the five latest versions of Istio, starting at 1.7 and above.
We have already backported security vulnerability fixes to patch releases of all supported versions, and will continue to do so within 24 hours of their announcement.
- Observability UX improvements – Observability was a key part of the Gloo Mesh 1.0 release as it brought unique multi-cluster capabilities to monitoring Istio. We had feedback from users on the look and feel of our Graph enhancement, and in this release you will find some notable improvements. To start, the graph now has a lot more usable area for visualization, as we have moved the filters to the top of the screen. We also added an option to go into a full screen mode. New icons in the graph indicate things like mTLS being turned on. There were a number of refinements to give users more information on what filters and controls do as well. Animations and the ability to move graph boxes around will be available soon too. We also have big plans in the roadmap for our observability platform.
- Improved security certificate management – As customers moved into production with Gloo Mesh v1.0, they required more sophisticated certificate management capabilities. For example, while Gloo Mesh sets up the required certs to install, organizations often have a distinct team that issues certificates, which they then need to apply to Gloo Mesh. Customers can now apply their own certs in Gloo Mesh v1.1 for this common use case. Gloo Mesh can now also help with the certificate rotation and has Vault integration for root and intermediate certificates for Istio to sign its workloads.
- More safety rails during installation – Gloo Mesh now has a number of pre- and post- flight environmental checks when installing the product to check that it installs correctly without issues. We also cleaned up logging which at times added too much verbosity and at other times, not enough. There is more work you will see on the installation processes improvements related to upgrading and registering Istio instances.
Try Gloo Mesh, Gloo Mesh Gateway, and Gloo Portal today!
You can request a free trial of Gloo Mesh today here.
Watch a deep-dive demo of Gloo Mesh Gateway.
Join the #gloo-mesh and #gloo-portal channels in the Solo.io Slack.
See a comparison of Gloo Mesh editions and open source Istio.
Read the docs on Gloo Mesh Gateway.