An Envoy Proxy-based API Gateway
Gloo Edge is an API gateway and ingress controller built on Envoy Proxy to facilitate and secure application traffic at the edge
Now GA - Gloo Edge Version 1.10
Announcing Gloo Edge 1.10 with enhanced AWS Lambda integration, more observability, and new security features.
Gloo Edge API Gateway
An API gateway receives requests from clients (e.g. external clients like web and mobile applications or applications and services located on-premises, in the cloud or mixed in hybrid environments) and manages ingress to the appropriate services within its domain. The API gateway sits in the data plane and manages “north / south” traffic by providing services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher level services such as high availability, load balancing, failover, zero-trust security, tracing and metrics gathering.
“Next-generation” gateways are purpose-built for a highly dynamic, ephemeral environments like Kubernetes and built with the design principles of declarative configuration, decentralized ownership, and self-service collaboration. In addition, next-gen gateways use declarative CRDs enabling you to seamlessly integrate them into your GitOps workflows.
Gloo Edge is a Kubernetes-native, next-generation API Gateway built on Envoy Proxy to manage, secure and observe traffic at the edge. Gloo Edge configures the behavior of the Envoy Proxy data plane to ensure secure application networking and policy based traffic management while gathering metrics to improve observability.
Filter Chain Architecture and Data Path
The Gloo Edge control plane configures the behavior of the Envoy Proxy data plane to manage, secure and observe traffic flowing between downstream clients and upstream services. With Gloo Edge, developers and operators use declarative CRDs, usually as part of a DevOps / GitOps process, to manage traffic, implement security policy, and configure observability.
Traffic management capabilities include routing, circuit breaking, rate limiting, filtering, transformations and the ability to create custom filters, in any language, with WebAssembly. For multi-cluster, hybrid and multi-cloud environments, Gloo Edge Federation provides advanced traffic management capabilities including coordinated configurations, load balancing, and global failover to ensure performance, high availability and reliability.
Security capabilities include invoking external authentication, applying network encryption (TLS/mTLS), filtering requests with a Web Application Firewall (WAF) as well as combining features to implement zero-trust security and other strategies.
Observability capabilities include a wealth of metrics providing a view into the health of your system as a whole and a detailed look at each Upstream. Metrics across clusters are integrated into Prometheus and unified into a Grafana dashboard view.
Feature ComparisonsHere's a list of selected features in each edition, sorted by the value they bring. Download Comparison Sheet > |
Basic Open Source
|
|---|
Secure
Transport layer security (TLS and mTLS)Provides end-to-end encryption to protect data in motion between end points
|
|||
Secrets (with Kubernetes and Hashicorp Vault)Manages sensitive credentials like passwords, tokens, and keys
|
|||
Access logging (with redaction) & usage statsProvides complete observability and auditability of all activity across the system
|
|||
Built-in web application firewall (WAF)Open source ModSecurity screens traffic for threats and stops attacks
|
|||
Data loss prevention (DLP)Monitors for data breaches or exfiltration to prevent data loss and data leaks
|
|||
Extensible authenticationIntegrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
|
|||
Federated role-based access controlGrants permissions to users appropriate to their responsibility and applies them consistently everywhere
|
|||
Open Policy Agent (OPA) for authorizationDefines service API policies as code
|
|||
Vulnerability scanning and publicationsFinds, addresses, and alerts on weaknesses in the system
|
Reliable
Dynamic routing for HTTP, TCP, gRPCDirects inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
|
|||
QuotasSet limits on application traffic to meet desired workloads
|
|||
Health checksConfirm that the system is operating as expected
|
|||
Retries, circuit breaker, timeoutsHandle exceptions and issues in connections gracefully
|
|||
Advanced rate limiting (metrics, server config, rate limit config)Define custom policies to handle more complex situations
|
|||
Configuration validationMakes sure that the system is deployed and defined correctly
|
|||
Service level agreements (SLAs)Provide assurance that issues are responded to in a timely manner
|
|||
Global failover and routingRedirects application traffic to other resources in the event of an outage
|
Unified
Cross-origin resource sharing (CORS)Set policies for and pre-verifies which origins are allowed to connect to specified resources
|
|||
Prometheus integrationCollects system metrics for observability to monitor and troubleshoot, and auditing for investigation
|
|||
Grafana integrationDisplays system metrics in user-friendly graphs and enables building custom dashboards
|
|||
Automatic service discoveryFinds and defines upstream resources (applications/microservices) that can be targets for connections
|
|||
Admin dashboard GUI with multi-cluster viewsGives centralized observability and control of the whole system
|
|||
Gloo Developer Portal (API mgmt)Enables publishing, sharing, GitOps calling, and monetization of defined APIs
|
Easy
Simplified APIMakes it easier to configure and use Envoy Proxy
|
|||
Long-term version supportCovers releases of Envoy for at least a year so you can upgrade on your schedule
|
|||
N-3 version patching and back-portingFixes bugs and security issues in current and three previous releases of Envoy
|
|||
Expert help on SlackFor fast response to all your questions by an active public community and Solo engineers worldwide
|
|||
Enterprise supportHelps quickly resolve issues in production environments via Slack, email, and phone
|
|||
Automated, federated traffic mgmt policy configurationDefines and enforces application connection behavior consistently everywhere
|
|||
Automated reconcile of policy changesVerifies and applies new configurations and policies
|
Comprehensive
Your choice of cloud and on-premises environmentsLets you run consistently anywhere you choose to operate your applications
|
|||
Serverless functions integrationEnables connections to AWS Lambda alongside containers and other upstream resources
|
|||
Virtual machines (VMs) supportEnables connections to VMs alongside containers and serverless upstream resources
|
|||
Shape, shift, and transform trafficTo define exactly how you want requests to be processed and presented, and connect to diverse protocols
|
|||
Federated multi-cluster operations and policiesManage and observe across clusters and even hybrid and multi-cloud deployments
|
|||
Simple object access protocol (SOAP) transformsTie in XML messaging protocols for legacy applications
|
|||
A/B testing with Flagger integrationsCustomize how you test application updates as canaries with a specified slice of inbound connections
|
Limited
|
Limited
|
|
WebAssembly (Wasm)Provides the ability to define extensible custom filters for security and control
|
Modern and open
Kubernetes-nativeDesigned to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
|
|||
Schema in Gloo Edge CRDsEnable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
|
|||
Helm usability improvementsDefine your applications and configuration, including node affinity with the desired resource characteristics
|
|||
Envoy Proxy-basedEnhances the popular open source project as a solid foundation for future-proof innovation
|
Use Cases
Modern & Open
Run Anywhere
- AWS
- Azure
- Google Cloud
- Hashicorp Nomad
- Kubernetes
- Red Hat Openstack
- VMware
Connect Microservices
- Containers
- Monoliths
- Serverless Functions
Serverless Integrations
- AWS Lambda
- Azure Functions
- Google Functions
Security Integrations
- Hashicorp Vault
- Let’s Encrypt
- Open Policy Agent (OPA)
Service Mesh Integrations
- AWS App Mesh
- Gloo Mesh
- Hashicorp Consul
- Istio
- Linkerd
Gameforge wanted to find new ways to optimise how our players access the 500+ servers for our online, browser-based, and mobile games. Gloo Edge as an API gateway combines perfectly with our Kubernetes clusters to prepare our technology stack for future challenges. Gloo Edge fulfilled all our requirements, including custom resources (CRDs), dynamic routing with JSON Web Tokens (JWT), and integration with Grafana.
“ParkMobile partnered with Solo.io because we were looking for the most innovative and flexible solutions on the market to power our growing platform. With over 16 million users of our application and a complex ecosystem of integrations, ParkMobile relies on Gloo Edge Enterprise and the supporting product suite for best-in-class API gateway and hybrid application communications that also adds in the power of monitoring and security to ensure peak performance of our platform at all times”