An Envoy Proxy-based API Gateway

Gloo Edge is an API gateway and ingress controller built on Envoy Proxy to facilitate and secure application traffic at the edge

Now GA - Gloo Edge Version 1.10

Announcing Gloo Edge 1.10 with enhanced AWS Lambda integration, more observability, and new security features.

Gloo Edge API Gateway

An API gateway receives requests from clients (e.g. external clients like web and mobile applications or applications and services located on-premises, in the cloud or mixed in hybrid environments) and manages ingress to the appropriate services within its domain. The API gateway sits in the data plane and manages “north / south” traffic by providing services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher level services such as high availability, load balancing, failover, zero-trust security, tracing and metrics gathering.

“Next-generation” gateways are purpose-built for a highly dynamic, ephemeral environments like Kubernetes and built with the design principles of declarative configuration, decentralized ownership, and self-service collaboration. In addition, next-gen gateways use declarative CRDs enabling you to seamlessly integrate them into your GitOps workflows.

Gloo Edge is a Kubernetes-native, next-generation API Gateway built on Envoy Proxy to manage, secure and observe traffic at the edge. Gloo Edge configures the behavior of the Envoy Proxy data plane to ensure secure application networking and policy based traffic management while gathering metrics to improve observability.

Filter Chain Architecture and Data Path

The Gloo Edge control plane configures the behavior of the Envoy Proxy data plane to manage, secure and observe traffic flowing between downstream clients and upstream services. With Gloo Edge, developers and operators use declarative CRDs, usually as part of a DevOps / GitOps process, to manage traffic, implement security policy, and configure observability.

Traffic management capabilities include routing, circuit breaking, rate limiting, filtering, transformations and the ability to create custom filters, in any language, with WebAssembly. For multi-cluster, hybrid and multi-cloud environments, Gloo Edge Federation provides advanced traffic management capabilities including coordinated configurations, load balancing, and global failover to ensure performance, high availability and reliability.

Security capabilities include invoking external authentication, applying network encryption (TLS/mTLS), filtering requests with a Web Application Firewall (WAF) as well as combining features to implement zero-trust security and other strategies.

Observability capabilities include a wealth of metrics providing a view into the health of your system as a whole and a detailed look at each Upstream. Metrics across clusters are integrated into Prometheus and unified into a Grafana dashboard view.

Feature Comparisons

Here's a list of selected features in each edition, sorted by the value they bring.

Download Comparison Sheet >

Gloo Edge

Request Trial

Gloo Edge
Open Source


Basic Open Source
Envoy Proxy

Transport layer security (TLS and mTLS)
Provides end-to-end encryption to protect data in motion between end points
Secrets (with Kubernetes and Hashicorp Vault)
Manages sensitive credentials like passwords, tokens, and keys
Access logging (with redaction) & usage stats
Provides complete observability and auditability of all activity across the system
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
Extensible authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Federated role-based access control
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Dynamic routing for HTTP, TCP, gRPC
Directs inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
Set limits on application traffic to meet desired workloads
Health checks
Confirm that the system is operating as expected
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Advanced rate limiting (metrics, server config, rate limit config)
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Service level agreements (SLAs)
Provide assurance that issues are responded to in a timely manner
Global failover and routing
Redirects application traffic to other resources in the event of an outage
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Prometheus integration
Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation
Grafana integration
Displays system metrics in user-friendly graphs and enables building custom dashboards
Automatic service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
Simplified API
Makes it easier to configure and use Envoy Proxy
Long-term version support
Covers releases of Envoy for at least a year so you can upgrade on your schedule
N-3 version patching and back-porting
Fixes bugs and security issues in current and three previous releases of Envoy
Expert help on Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Automated, federated traffic mgmt policy configuration
Defines and enforces application connection behavior consistently everywhere
Automated reconcile of policy changes
Verifies and applies new configurations and policies
Your choice of cloud and on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Virtual machines (VMs) support
Enables connections to VMs alongside containers and serverless upstream resources
Shape, shift, and transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Federated multi-cluster operations and policies
Manage and observe across clusters and even hybrid and multi-cloud deployments
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
A/B testing with Flagger integrations
Customize how you test application updates as canaries with a specified slice of inbound connections
WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Schema in Gloo Edge CRDs
Enable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
Helm usability improvements
Define your applications and configuration, including node affinity with the desired resource characteristics
Envoy Proxy-based
Enhances the popular open source project as a solid foundation for future-proof innovation

Use Cases

API Gateway

Microservices and distributed applications require an API Gateway to act as a central point of access between the end users and potentially hundreds of backend services.
Learn More

Kubernetes Ingress

Kubernetes requires an ingress controller as part of the orchestration platform to manage incoming traffic to the containerized applications. Gloo provides a robust Kubernetes ingress controller.
Learn More

Developer Portal

Improve team communication and collaboration with a Kubernetes-native API developer portal built to run natively with Istio and Envoy Proxy that enables GitOps and CI/CD workflows
Learn More

Get started in 15 minutes

Follow our quick tutorial

Try it now

Video FAQs

Watch a series of short videos about Envoy Proxy and Gloo Edge

Learn more

See a recorded demo

Tour key features

Watch now

Modern & Open

Run Anywhere
  • AWS
  • Azure
  • Google Cloud
  • Hashicorp Nomad
  • Kubernetes
  • Red Hat Openstack
  • VMware
Connect Microservices
  • Containers
  • Monoliths
  • Serverless Functions
Serverless Integrations
  • AWS Lambda
  • Azure Functions
  • Google Functions
Security Integrations
  • Hashicorp Vault
  • Let’s Encrypt
  • Open Policy Agent (OPA)
Service Mesh Integrations
  • AWS App Mesh
  • Gloo Mesh
  • Hashicorp Consul
  • Istio
  • Linkerd

Gameforge wanted to find new ways to optimise how our players access the 500+ servers for our online, browser-based, and mobile games. Gloo Edge as an API gateway combines perfectly with our Kubernetes clusters to prepare our technology stack for future challenges. Gloo Edge fulfilled all our requirements, including custom resources (CRDs), dynamic routing with JSON Web Tokens (JWT), and integration with Grafana.

Hannes Anders
CTO, Gameforge

ParkMobile partnered with because we were looking for the most innovative and flexible solutions on the market to power our growing platform. With over 16 million users of our application and a complex ecosystem of integrations, ParkMobile relies on Gloo Edge Enterprise and the supporting product suite for best-in-class API gateway and hybrid application communications that also adds in the power of monitoring and security to ensure peak performance of our platform at all times” 

Matt Ball
CTO, ParkMobile