Webinar Recap – Gloo Federation Overview and Demo
Gloo is our next generation API gateway built with Envoy Proxy to help application teams secure and control the incoming traffic to their backend application workloads including legacy monoliths, microservices/Kubernetes, and serverless functions. Gloo is deployed at the edge and handles what is commonly referred to as “ingress” or “north/south” traffic into a cluster. As environments scale, the number of clusters grows — this is a well understood practice for improved isolation, fault tolerance, resilience and more.
Recently we announced Gloo Federation (Gloo-Fed), a new capability of Gloo Enterprise to manage multi-cluster Gloo API gateway environments. As a unified control plane for multi-cluster federation and management, Gloo-Fed streamlines the configuration of global resources and failover routing across clusters, clouds, and regions. Read the announcement here.
The webinar featuring Christian Posta, Global Field CTO and Joe Kelley, lead engineer digs into the following areas of Gloo Federation:
- Technical Architecture
- Global Configuration, Discovery, and Visibility
- Cross Cluster Failover Routing
- Role Based Access Control
- Demos and Q&A
Watch the replay here
Highlights from the Q&A
Can you use Gloo (API Gateway) instead of a service mesh and vice versa?
This is a very common question that we get as many of the traffic shaping and management capabilities are similar but they are applied to different traffic flows. Envoy is the modern proxy of choice for the data plane and it can be deployed at the edge as part of a gateway and as a sidecar proxy to services in a service mesh, each with their own control plane. These two work together to address the north/south (gateway) traffic and the east/west (service mesh) traffic but they are fundamentally different. Something like Gloo will handle the traffic coming from external clients into the service (north/south traffic) and service mesh will handle the traffic between the services (east west).
On Sept 10th at 10am Pacific, we are hosting a webinar to answer the question: Can you replace API Management with a Service Mesh? Register for the event here
How is Gloo Federation similar or different than Service Mesh Hub? Both are for multi-cluster management and how do I choose which to use?
Similar to the question above, Gloo is an API Gateway for handling north/south traffic and service mesh is for handling east/west traffic. What Gloo Federation does is handle configuration and traffic management for Gloo API gateways deployed on multiple clusters from global configurations, failover routing across clusters, and more. Similarly, Service Mesh Hub does this for multiple clusters of service mesh — from the same or different service mesh providers. Watch the replay here for Gloo Federation and check out this video about Service Mesh Hub.
You mention the ability to enforce compliance, could you block access to an API by the country the user is sending the request from?
Yes. While compliance has a really broad surface area, the specific use case of blocking or allowing traffic from specific clients based on where they originate from is possible with Gloo. You could use the Web Application Firewall (WAF) in Gloo that is built on top of Mod Security that can be configured to filter out that traffic.
In a multi-tenant environment where a service may be shared by many other services, can Gloo be configured to only allow access to the shared service to authorized applications?
Yes. Using Gloo, you can configure trust and policy enforcement into a service that is shared across multiple tenants. This is one of the motivations around our support for Open Policy Agent (OPA) with Gloo, to be able to build a policy to route based on a particular user or some other context based routing. This is also an extension point to use OPA or another policy engine you may have in your environment.
Download the presentation