Achieve Compliance, Zero Trust with Istio Ambient Mesh


What is an API Gateway?

An API gateway sits between external clients and the applications running in your datacenter and clouds. APIs (application programming interfaces) define how applications can communicate, without the client having to know where or how they are implemented. An API gateway validates incoming requests, routes them to the appropriate backend service based on defined policies, and then returns the appropriate result to the client.

Architecturally, API gateways have both a data plane and a control plane. The data plane is where traffic flows from your external clients through the proxies to the backend services. The control plane is where your configuration and policies are defined. These configurations are pushed to the proxies to adjust the flow of traffic or to add security checks like authentication. With adoption of Kubernetes containers and cloud-native architectures for modern applications, technologies like the open source Envoy Proxy and Istio have emerged to enable application networking for distributed systems. Envoy has become the most popular proxy at the edge, and also as the sidecar to handle internal traffic in an Istio service mesh.

Why you need a modern API gateway

Legacy API gateways were not designed for the highly dynamic environments like cloud and Kubernetes. They require additional infrastructure and a lot of effort to become highly-available and production ready. And legacy API gateways are often deployed centrally which conflicts with the distributed nature of modern applications.

APIs are the interfaces which applications use to communicate and the gateway is the control point for routing, shaping, and securing that traffic. As the API gateway intercepts the incoming request, security rules can be applied to inspect the request, authenticate the client, and rate limit the request to protect the backend service from exploit or failure. API gateways can route and shape traffic to support use cases like canary deployments and traffic shadowing to ensure safer application deployments and to maintain a great end user experience.

Why choose as the API gateway for your modern apps’s Gloo Mesh Gateway and Gloo Edge deliver robust API gateways by enhancing open source Istio and Envoy Proxy. By default, basic open source distributions of Istio and Envoy don’t go far enough to deliver features needed for comprehensive application networking. Traffic routing alone isn’t enough, and if you use pure open source you inherit the burden of developing and maintaining missing enterprise features forever. adds comprehensive functionality to your API gateways, reducing complexity while increasing security, reliability, and observability for consistent applications and microservices connectivity.

timeout: ‘20s’
retryOn: ‘connect-failure’
numRetries: 3
perTryTimeout: ‘5s’
Manage API ingress and egress at the edge

With traffic from external sources coming in over the Internet, you’ll need routing, circuit breaking, rate limiting, load balancing, and locality-aware failover to maintain reliable connections to your services.

Comprehensively secure all connections

Establish a zero-trust environment where every inbound connection is validated before being allowed. Integrate with your existing external authentication and authorization servers. Use mTLS encryption to protect data-in-motion on all connections.

kind: VirtualService

  -prefix: /app/cart
name: shopping-cart
namespace: gloo-system
Federate configurations and policies as code

Manage application networking with common policies implemented consistently everywhere. Developers and operators can use declarative CRDs, usually as part of a DevOps or GitOps process, to manage traffic, implement security policy, and configure observability.

Define custom rules and behaviors

Set up a filter chain to enforce rules in priority order, create inline transformations, and make your own custom filters, in any language, with WebAssembly (Wasm.)

Build a developer portal

Fully integrated with Gloo Mesh Gateway and Gloo Edge, Gloo Portal abstracts the complexity and enables developers to publish, document, share, discover, and use APIs with rich controls and comprehensive security information.

Limit access to resources

Use granular role-based access controls and delegation to limit which clients and administrators have permissions to applications, resources, and management tools.


Learn all about Envoy Proxy API gateways for traditional applications and Kubernetes-orchestrated microservices.

Application networking is a team sport

While not strictly a security feature of API gateways, one important consideration is the availability of enterprise support and defined service-level agreements (SLAs) for response. Community support for open source software itself doesn’t meet the requirements for production deployments, so you need a vendor on standby to help you out. Inevitably there will be issues and when a CVE (common vulnerabilities and exposures) incident is discovered, it is reassuring to know that someone can quickly patch your code and even backport the fix to older versions if you haven’t kept up with the rapid pace of new releases.

How It Works

Watch short videos outlining key concepts about API gateways.

What is an API gateway?
How should I evaluate an API gateway?

Additional API Gateways Resources

The 3 best ways to learn Flux and Flagger for GitOps with your Envoy Proxy API gateways
Read More
Modernizing SOAP Interfaces with Gloo Portal
Read More
Announcing Gloo Edge 1.9 with FIPS, last good config, canary testing, and UI improvements
Read More
How to deploy Amazon EKS Anywhere (EKS-A) with Gloo Edge, an enhanced Envoy Proxy API gateway
Read More
Gloo Edge API Gateway Multi-cluster Provisioning with GitOps
Read More
Getting started with Envoy Proxy in 15 Minutes: installation-free Gloo Edge
Read More
How to use Gloo Edge to combine Amazon EKS with AWS Lambda
Read More
Guest blog: How Snyk is normalizing authentication strategies with Gloo Edge
Read More
Gloo Mesh Gateway demo
Watch Now