The Advantages of an Envoy-based API Gateway
An API gateway receives requests from clients (e.g. external clients like web and mobile applications or applications and services located on-premises, in the cloud or mixed in hybrid environments) and manages ingress to the appropriate services within its domain. The API gateway sits in the data plane and manages “North/South” traffic by providing services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher-level services such as high availability, load balancing, failover, zero-trust security, tracing, and metrics gathering.
“Next-generation” gateways are also purpose-built for highly dynamic, ephemeral environments like Kubernetes and built with the design principles of declarative configuration, decentralized ownership, and self-service collaboration. In addition, next-gen gateways use declarative CRDs enabling you to seamlessly integrate them into your GitOps workflow.
Gloo Edge is a Kubernetes-native, next-generation API Gateway built on Envoy Proxy to manage, secure, and observe traffic at the edge. Gloo Edge configures the behavior of the Envoy Proxy data plane to ensure secure application networking and policy-based traffic management while gathering metrics to improve observability.

Filter Chain Architecture and Data Path
The Gloo Edge control plane configures the behavior of the Envoy Proxy data plane to manage, secure and observe traffic flowing between downstream clients and upstream services. With Gloo Edge, developers and operators use declarative CRDs, usually as part of a DevOps / GitOps process, to manage traffic, implement security policy, and configure observability.
Traffic management capabilities include routing, circuit breaking, rate limiting, filtering, transformations and the ability to create custom filters, in any language, with WebAssembly. For multi-cluster, hybrid and multi-cloud environments, Gloo Edge Federation provides advanced traffic management capabilities including coordinated configurations, load balancing, and global failover to ensure performance, high availability and reliability.
Security capabilities include invoking external authentication, applying network encryption (TLS/mTLS), filtering requests with a Web Application Firewall (WAF) as well as combining features to implement zero-trust security and other strategies. Observability capabilities include a wealth of metrics providing a view into the health of your system as a whole and a detailed look at each Upstream. Metrics across clusters are integrated into Prometheus and unified into a Grafana dashboard view. The optional Gloo GraphQL module embeds a GraphQL server natively into Gloo Edge enabling federated queries of your APIs using your Envoy Proxy-based API gateways.

Feature ComparisonsCompare Gloo Edge editions and basic open source Istio. DOWNLOAD COMPARISON SHEET > |
![]() Basic Open Source Envoy |
---|
Secure

Transport layer security (TLS and mTLS)Provides end-to-end encryption to protect data in motion between end points
|
|||
Secrets (with Kubernetes and HashiCorp Vault)PrManages sensitive credentials like passwords, tokens, and keys
|
|||
Access logging (with redaction) & usage statsProvides complete observability and auditability of all activity across the system
|
|||
Built-in web application firewall (WAF)Open source ModSecurity screens traffic for threats and stops attacks
|
|||
Data loss prevention (DLP)Monitors for data breaches or exfiltration to prevent data loss and data leaks
|
|||
Extensible authenticationIntegrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
|
|||
Federated role-based access controlGrants permissions to users appropriate to their responsibility and applies them consistently everywhere
|
|||
Open Policy Agent (OPA) for authorizationDefines service API policies as code
|
|||
Vulnerability scanning and publicationsFinds, addresses, and alerts on weaknesses in the system
|
Reliable

Dynamic routing for HTTP, TCP, gRPCDirects inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
|
|||
QuotasSet limits on application traffic to meet desired workloads
|
|||
Health checksConfirm that the system is operating as expected
|
|||
Retries, circuit breaker, timeoutsHandle exceptions and issues in connections gracefully
|
|||
Advanced rate limiting (metrics, server config, rate limit config)Define custom policies to handle more complex situations
|
|||
Configuration validationMakes sure that the system is deployed and defined correctly
|
|||
Service level agreements (SLAs)Provide assurance that issues are responded to in a timely manner
|
|||
Global failover and routingRedirects application traffic to other resources in the event of an outage
|
Unified

Cross-origin resource sharing (CORS)Set policies for and pre-verifies which origins are allowed to connect to specified resources
|
|||
Prometheus integrationCollects system metrics for observability to monitor and troubleshoot, and auditing for investigation
|
|||
Grafana integrationDisplays system metrics in user-friendly graphs and enables building custom dashboards
|
|||
Automatic service discoveryFinds and defines upstream resources (applications/microservices) that can be targets for connections
|
|||
Admin dashboard GUI with multi-cluster viewsGives centralized observability and control of the whole system
|
|||
Gloo Developer Portal (API mgmt)Enables publishing, sharing, GitOps calling, and monetization of defined APIs
|
|||
GraphQL embeddedRun and query GraphQL servers on Gloo Edge
|
Easy

Simplified APIMakes it easier to configure and use Envoy Proxy
|
|||
Long-term version supportCovers releases of Envoy for at least a year so you can upgrade on your schedule
|
|||
N-3 version patching and back-portingFixes bugs and security issues in current and three previous releases of Envoy
|
|||
Expert help on SlackFor fast response to all your questions by an active public community and Solo engineers worldwide
|
|||
Enterprise supportHelps quickly resolve issues in production environments via Slack, email, and phone
|
|||
Automated, federated traffic mgmt policy configurationDefines and enforces application connection behavior consistently everywhere
|
|||
Automated reconcile of policy changesVerifies and applies new configurations and policies
|
Comprehensive

Your choice of cloud and on-premises environmentsLets you run consistently anywhere you choose to operate your applications
|
|||
Serverless functions integrationEnables connections to AWS Lambda alongside containers and other upstream resources
|
|||
Virtual machines (VMs) supportEasy bootstrapping of VMs to connect with containers and serverless upstream resources
|
|||
Shape, shift, and transform trafficTo define exactly how you want requests to be processed and presented, and connect to diverse protocols
|
|||
Federated multi-cluster operations and policiesManage and observe across clusters and even hybrid and multi-cloud deployments
|
|||
Simple object access protocol (SOAP) transformsTie in XML messaging protocols for legacy applications
|
|||
A/B testing with Flagger integrationsCustomize how you test application updates as canaries with a specified slice of inbound connections
|
Limited
|
Limited
|
|
WebAssembly (Wasm)Provides the ability to define extensible custom filters for security and control
|
Modern & Open

Kubernetes-nativeDesigned to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
|
|||
Schema in Gloo Edge CRDsEnable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
|
|||
Helm usability improvementsDefine your applications and configuration, including node affinity with the desired resource characteristics
|
|||
Envoy Proxy-basedEnhances the popular open source project as a solid foundation for future-proof innovation
|
|||
Upstream GraphQLEmbeds GraphQL querying into Gloo Edge
|
Use Cases
Modern & Open
Gloo Edge is built on extensible, cloud-native, Kubernetes-native open source software that can run in any environment.

Run
Anywhere
- AWS
- Azure
- Google Cloud
- HashiCorp Nomad
- Kubernetes
- Red Hat Openstack
- VMware

Connect Microservices
- Containers
- Monoliths
- Serverless Functions

Serverless Integrations
- AWS Lambda
- Azure Functions
- Google Functions

Security Integrations
- HashiCorp Vault
- Let’s Encrypt
- Open Policy Agent (OPA)

Service Mesh Integrations
- AWS App Mesh
- Gloo Mesh
- HashiCorp Consul
- Istio
- Linkerd

GraphQL Integration
- Lifecycle
- Security
- Reliability
- Scalability
- Observability