The Advantages of an Envoy-based API Gateway
An API gateway receives requests from clients (e.g. external clients like web and mobile applications or applications and services located on-premises, in the cloud or mixed in hybrid environments) and manages ingress to the appropriate services within its domain. The API gateway sits in the data plane and manages “North/South” traffic by providing services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher-level services such as high availability, load balancing, failover, zero-trust security, tracing, and metrics gathering.
“Next-generation” gateways are also purpose-built for highly dynamic, ephemeral environments like Kubernetes and built with the design principles of declarative configuration, decentralized ownership, and self-service collaboration. In addition, next-gen gateways use declarative CRDs enabling you to seamlessly integrate them into your GitOps workflow.
Gloo Gateway extends Envoy Proxy with a rich set of Security, Scalability, Resiliency, Cloud Integrations, and Ease of Use capabilities. Gloo Gateway’s architecture enables customers to significantly reduce their API-Gateway footprint (vs. legacy API Gateways), as well as improve overall scalability and reduce application latency. Gloo Gateway is part of the broader Gloo Platform framework for centralized deployments and policy management, integrated with GitOps best-practices.

How it Works
Gloo Gateway can be deployed in either a Layered Gateway configuration or a Virtual Gateway configuration depending on the requirements of your network architecture.
Layered Gateway
In a Layered Gateway configuration, an Application Edge Gateway is configured to control and secure access to different container clusters and VMs in your environment.
This enables different traffic management, security policy and resiliency configurations to be applied at different layers in your application network.
Virtual Gateway
In a Virtual Gateway configuration, multiple API gateways create a “virtual” destination eliminating any single points of failure and reduce network latency.
The Virtual Gateway provides a single configuration point but is implemented as a decentralized API gateway. The Virtual Gateway can also be implemented across containers, VMs and hybrid services.
Feature ComparisonsCompare Gloo Edge editions and basic open source Istio. DOWNLOAD COMPARISON SHEET > |
![]() Basic Open Source Envoy |
---|
Secure

Transport layer security (TLS and mTLS)Provides end-to-end encryption to protect data in motion between end points
|
|||
Secrets (with Kubernetes and HashiCorp Vault)PrManages sensitive credentials like passwords, tokens, and keys
|
|||
Access logging (with redaction) & usage statsProvides complete observability and auditability of all activity across the system
|
|||
Built-in web application firewall (WAF)Open source ModSecurity screens traffic for threats and stops attacks
|
|||
Data loss prevention (DLP)Monitors for data breaches or exfiltration to prevent data loss and data leaks
|
|||
Extensible authenticationIntegrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
|
|||
Federated role-based access controlGrants permissions to users appropriate to their responsibility and applies them consistently everywhere
|
|||
Open Policy Agent (OPA) for authorizationDefines service API policies as code
|
|||
Vulnerability scanning and publicationsFinds, addresses, and alerts on weaknesses in the system
|
Reliable

Dynamic routing for HTTP, TCP, gRPCDirects inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
|
|||
QuotasSet limits on application traffic to meet desired workloads
|
|||
Health checksConfirm that the system is operating as expected
|
|||
Retries, circuit breaker, timeoutsHandle exceptions and issues in connections gracefully
|
|||
Advanced rate limiting (metrics, server config, rate limit config)Define custom policies to handle more complex situations
|
|||
Configuration validationMakes sure that the system is deployed and defined correctly
|
|||
Service level agreements (SLAs)Provide assurance that issues are responded to in a timely manner
|
|||
Global failover and routingRedirects application traffic to other resources in the event of an outage
|
Unified

Cross-origin resource sharing (CORS)Set policies for and pre-verifies which origins are allowed to connect to specified resources
|
|||
Prometheus integrationCollects system metrics for observability to monitor and troubleshoot, and auditing for investigation
|
|||
Grafana integrationDisplays system metrics in user-friendly graphs and enables building custom dashboards
|
|||
Automatic service discoveryFinds and defines upstream resources (applications/microservices) that can be targets for connections
|
|||
Admin dashboard GUI with multi-cluster viewsGives centralized observability and control of the whole system
|
|||
Gloo Developer Portal (API mgmt)Enables publishing, sharing, GitOps calling, and monetization of defined APIs
|
|||
GraphQL embeddedRun and query GraphQL servers on Gloo Edge
|
Easy

Simplified APIMakes it easier to configure and use Envoy Proxy
|
|||
Long-term version supportCovers releases of Envoy for at least a year so you can upgrade on your schedule
|
|||
N-3 version patching and back-portingFixes bugs and security issues in current and three previous releases of Envoy
|
|||
Expert help on SlackFor fast response to all your questions by an active public community and Solo engineers worldwide
|
|||
Enterprise supportHelps quickly resolve issues in production environments via Slack, email, and phone
|
|||
Automated, federated traffic mgmt policy configurationDefines and enforces application connection behavior consistently everywhere
|
|||
Automated reconcile of policy changesVerifies and applies new configurations and policies
|
Comprehensive

Your choice of cloud and on-premises environmentsLets you run consistently anywhere you choose to operate your applications
|
|||
Serverless functions integrationEnables connections to AWS Lambda alongside containers and other upstream resources
|
|||
Virtual machines (VMs) supportEasy bootstrapping of VMs to connect with containers and serverless upstream resources
|
|||
Shape, shift, and transform trafficTo define exactly how you want requests to be processed and presented, and connect to diverse protocols
|
|||
Federated multi-cluster operations and policiesManage and observe across clusters and even hybrid and multi-cloud deployments
|
|||
Simple object access protocol (SOAP) transformsTie in XML messaging protocols for legacy applications
|
|||
A/B testing with Flagger integrationsCustomize how you test application updates as canaries with a specified slice of inbound connections
|
Limited
|
||
WebAssembly (Wasm)Provides the ability to define extensible custom filters for security and control
|
Modern & Open

Kubernetes-nativeDesigned to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
|
|||
Schema in Gloo Edge CRDsEnable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
|
|||
Helm usability improvementsDefine your applications and configuration, including node affinity with the desired resource characteristics
|
|||
Envoy Proxy-basedEnhances the popular open source project as a solid foundation for future-proof innovation
|
|||
Upstream GraphQLEmbeds GraphQL querying into Gloo Edge
|
Use Cases
Modern & Open
Gloo Gateway is built on extensible, cloud-native, Kubernetes-native open source software that can run in any environment.

Run
Anywhere
- AWS
- Azure
- Google Cloud
- HashiCorp Nomad
- Kubernetes
- Red Hat Openstack
- VMware

Connect Microservices
- Containers
- Monoliths
- Serverless Functions

Serverless Integrations
- AWS Lambda
- Azure Functions
- Google Functions

Security Integrations
- HashiCorp Vault
- Let’s Encrypt
- Open Policy Agent (OPA)

Service Mesh Integrations
- AWS App Mesh
- Gloo Mesh
- HashiCorp Consul
- Istio
- Linkerd

GraphQL Integration
- Lifecycle
- Security
- Reliability
- Scalability
- Observability