Cilium networking in Istio with Gloo Mesh Get started now

Exit Icon

An Envoy Proxy-based API Gateway

Gloo Edge is an Envoy-based API gateway and ingress controller to facilitate and secure application traffic at the edge

Gloo GraphQL (beta) enables you to query your APIs via Envoy Proxy
Gloo Edge 1.10 brings an enhanced AWS Lambda, plus better security, reliability, and ease-of-use
Block Log4Shell attacks with Gloo Edge

The Advantages of an Envoy-based API Gateway

An API gateway receives requests from clients (e.g. external clients like web and mobile applications or applications and services located on-premises, in the cloud or mixed in hybrid environments) and manages ingress to the appropriate services within its domain. The API gateway sits in the data plane and manages “North/South” traffic by providing services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher-level services such as high availability, load balancing, failover, zero-trust security, tracing, and metrics gathering.

“Next-generation” gateways are also purpose-built for highly dynamic, ephemeral environments like Kubernetes and built with the design principles of declarative configuration, decentralized ownership, and self-service collaboration. In addition, next-gen gateways use declarative CRDs enabling you to seamlessly integrate them into your GitOps workflow.

Gloo Edge is a Kubernetes-native, next-generation API Gateway built on Envoy Proxy to manage, secure, and observe traffic at the edge. Gloo Edge configures the behavior of the Envoy Proxy data plane to ensure secure application networking and policy-based traffic management while gathering metrics to improve observability.

Filter Chain Architecture and Data Path

The Gloo Edge control plane configures the behavior of the Envoy Proxy data plane to manage, secure and observe traffic flowing between downstream clients and upstream services. With Gloo Edge, developers and operators use declarative CRDs, usually as part of a DevOps / GitOps process, to manage traffic, implement security policy, and configure observability.

Traffic management capabilities include routing, circuit breaking, rate limiting, filtering, transformations and the ability to create custom filters, in any language, with WebAssembly. For multi-cluster, hybrid and multi-cloud environments, Gloo Edge Federation provides advanced traffic management capabilities including coordinated configurations, load balancing, and global failover to ensure performance, high availability and reliability.

Security capabilities include invoking external authentication, applying network encryption (TLS/mTLS), filtering requests with a Web Application Firewall (WAF) as well as combining features to implement zero-trust security and other strategies. Observability capabilities include a wealth of metrics providing a view into the health of your system as a whole and a detailed look at each Upstream. Metrics across clusters are integrated into Prometheus and unified into a Grafana dashboard view. The optional Gloo GraphQL module embeds a GraphQL server natively into Gloo Edge enabling federated queries of your APIs using your Envoy Proxy-based API gateways.

Feature Comparisons

Compare Gloo Edge editions and basic open source Istio.


Gloo Edge Enterprise


Gloo Edge Open Source


Basic Open Source Envoy

Transport layer security (TLS and mTLS)
Provides end-to-end encryption to protect data in motion between end points
Secrets (with Kubernetes and HashiCorp Vault)
PrManages sensitive credentials like passwords, tokens, and keys
Access logging (with redaction) & usage stats
Provides complete observability and auditability of all activity across the system
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
Extensible authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Federated role-based access control
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Dynamic routing for HTTP, TCP, gRPC
Directs inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
Set limits on application traffic to meet desired workloads
Health checks
Confirm that the system is operating as expected
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Advanced rate limiting (metrics, server config, rate limit config)
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Service level agreements (SLAs)
Provide assurance that issues are responded to in a timely manner
Global failover and routing
Redirects application traffic to other resources in the event of an outage
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Prometheus integration
Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation
Grafana integration
Displays system metrics in user-friendly graphs and enables building custom dashboards
Automatic service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
GraphQL embedded
Run and query GraphQL servers on Gloo Edge
Simplified API
Makes it easier to configure and use Envoy Proxy
Long-term version support
Covers releases of Envoy for at least a year so you can upgrade on your schedule
N-3 version patching and back-porting
Fixes bugs and security issues in current and three previous releases of Envoy
Expert help on Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Automated, federated traffic mgmt policy configuration
Defines and enforces application connection behavior consistently everywhere
Automated reconcile of policy changes
Verifies and applies new configurations and policies
Your choice of cloud and on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Virtual machines (VMs) support
Easy bootstrapping of VMs to connect with containers and serverless upstream resources
Shape, shift, and transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Federated multi-cluster operations and policies
Manage and observe across clusters and even hybrid and multi-cloud deployments
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
A/B testing with Flagger integrations
Customize how you test application updates as canaries with a specified slice of inbound connections
WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Schema in Gloo Edge CRDs
Enable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
Helm usability improvements
Define your applications and configuration, including node affinity with the desired resource characteristics
Envoy Proxy-based
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream GraphQL
Embeds GraphQL querying into Gloo Edge

Use Cases

API Gateways

Reduce complexity while increasing security, reliability, and observability for your applications.


Zero Trust Security

Add comprehensive security controls to your service mesh.


Modern & Open

Gloo Edge is built on extensible, cloud-native, Kubernetes-native open source software that can run in any environment.

  • AWS
  • Azure
  • Google Cloud
  • HashiCorp Nomad
  • Kubernetes
  • Red Hat Openstack
  • VMware
Connect Microservices
  • Containers
  • Monoliths
  • Serverless Functions
Serverless Integrations
  • AWS Lambda
  • Azure Functions
  • Google Functions
Security Integrations
  • HashiCorp Vault
  • Let’s Encrypt
  • Open Policy Agent (OPA)
Service Mesh Integrations
  • AWS App Mesh
  • Gloo Mesh
  • HashiCorp Consul
  • Istio
  • Linkerd
GraphQL Integration
  • Lifecycle
  • Security
  • Reliability
  • Scalability
  • Observability
  • ParkMobile partnered with because we were looking for the most innovative and flexible solutions on the market to power our growing platform. With over 16 million users of our application and a complex ecosystem of integrations, ParkMobile relies on Gloo Edge Enterprise and the supporting product suite for best-in-class API gateway and hybrid application communications that also adds in the power of monitoring and security to ensure peak performance of our platform at all times.

    Matt Ball
    CTO, ParkMobile
  • Gameforge wanted to find new ways to optimise how our players access the 500+ servers for our online, browser-based, and mobile games. Gloo Edge as an API gateway combines perfectly with our Kubernetes clusters to prepare our technology stack for future challenges. Gloo Edge fulfilled all our requirements, including custom resources (CRDs), dynamic routing with JSON Web Tokens (JWT), and integration with Grafana.

    Hannes Anders
    CTO, Gameforge
  • As we look to break out our monolithic backend and deploy new microservices into Kubernetes, we needed a highly scalable API Gateway to not only aggregate the microservices into a coherent API, but remove duplication from within these microservices by centralizing features such as authentication and rate limiting. The configuration of Gloo Edge via CRDs is a major advantage for our Infrastructure team and fits within our existing GitOps workflow.

    Jon Walton
    DevOps architect
Want design, security, or operations help?
Get a personalized product tour
Curious about the cost and support?