Unlocking the Power of Your API Gateway


API Gateway and Kubernetes Ingress

Gloo Gateway is an integrated part of the Gloo Platform, delivering API Gateway and Kubernetes Ingress functionality.

  • Gloo Gateway > Gateways
  • Gloo Gateway > Graph
  • Gloo Gateway > Workspaces > Virtual Gateway

Announcing GraphQL for Gloo Gateway!
Block Log4Shell attacks with Gloo Gateway

The Advantages of an Envoy-based API Gateway

An API gateway receives requests from clients (e.g. external clients like web and mobile applications or applications and services located on-premises, in the cloud or mixed in hybrid environments) and manages ingress to the appropriate services within its domain. The API gateway sits in the data plane and manages “North/South” traffic by providing services including security, reliability, filtering, transformations, and routing. Working collectively, the API gateway can provide higher-level services such as high availability, load balancing, failover, zero-trust security, tracing, and metrics gathering.

“Next-generation” gateways are also purpose-built for highly dynamic, ephemeral environments like Kubernetes and built with the design principles of declarative configuration, decentralized ownership, and self-service collaboration. In addition, next-gen gateways use declarative CRDs enabling you to seamlessly integrate them into your GitOps workflow.

Gloo Gateway extends Envoy Proxy with a rich set of Security, Scalability, Resiliency, Cloud Integrations, and Ease of Use capabilities. Gloo Gateway’s architecture enables customers to significantly reduce their API-Gateway footprint (vs. legacy API Gateways), as well as improve overall scalability and reduce application latency. Gloo Gateway is part of the broader Gloo Platform framework for centralized deployments and policy management, integrated with GitOps best-practices.

Goo Edge API Diagram

How it Works

Gloo Gateway can be deployed in either a Layered Gateway configuration or a Virtual Gateway configuration depending on the requirements of your network architecture.

Layered Gateway

In a Layered Gateway configuration, an Application Edge Gateway is configured to control and secure access to different container clusters and VMs in your environment.

This enables different traffic management, security policy and resiliency configurations to be applied at different layers in your application network.

layered gateway-diagram


Virtual Gateway

In a Virtual Gateway configuration, multiple API gateways create a “virtual” destination eliminating any single points of failure and reduce network latency.

The Virtual Gateway provides a single configuration point but is implemented as a decentralized API gateway. The Virtual Gateway can also be implemented across containers, VMs and hybrid services.


virtual gateway-diagram

Feature Comparisons

Compare Gloo Edge editions and basic open source Istio.


Gloo Edge Enterprise


Gloo Edge Open Source


Basic Open Source Envoy

Transport layer security (TLS and mTLS)
Provides end-to-end encryption to protect data in motion between end points
Secrets (with Kubernetes and HashiCorp Vault)
PrManages sensitive credentials like passwords, tokens, and keys
Access logging (with redaction) & usage stats
Provides complete observability and auditability of all activity across the system
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
Extensible authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Federated role-based access control
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Dynamic routing for HTTP, TCP, gRPC
Directs inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
Set limits on application traffic to meet desired workloads
Health checks
Confirm that the system is operating as expected
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Advanced rate limiting (metrics, server config, rate limit config)
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Service level agreements (SLAs)
Provide assurance that issues are responded to in a timely manner
Global failover and routing
Redirects application traffic to other resources in the event of an outage
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Prometheus integration
Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation
Grafana integration
Displays system metrics in user-friendly graphs and enables building custom dashboards
Automatic service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
GraphQL embedded
Run and query GraphQL servers on Gloo Edge
Simplified API
Makes it easier to configure and use Envoy Proxy
Long-term version support
Covers releases of Envoy for at least a year so you can upgrade on your schedule
N-3 version patching and back-porting
Fixes bugs and security issues in current and three previous releases of Envoy
Expert help on Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Automated, federated traffic mgmt policy configuration
Defines and enforces application connection behavior consistently everywhere
Automated reconcile of policy changes
Verifies and applies new configurations and policies
Your choice of cloud and on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Virtual machines (VMs) support
Easy bootstrapping of VMs to connect with containers and serverless upstream resources
Shape, shift, and transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Federated multi-cluster operations and policies
Manage and observe across clusters and even hybrid and multi-cloud deployments
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
A/B testing with Flagger integrations
Customize how you test application updates as canaries with a specified slice of inbound connections
WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Schema in Gloo Edge CRDs
Enable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
Helm usability improvements
Define your applications and configuration, including node affinity with the desired resource characteristics
Envoy Proxy-based
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream GraphQL
Embeds GraphQL querying into Gloo Edge

Use Cases

Apimgmt Use Case Tn@

API Gateways

Reduce complexity while increasing security, reliability, and observability for your applications.

Zero Trust Use Case Tn@

Zero Trust Security

Add comprehensive security controls to your service mesh.


Modern & Open

Gloo Gateway is built on extensible, cloud-native, Kubernetes-native open source software that can run in any environment.

Noun Cloud 2812119
  • AWS
  • Azure
  • Google Cloud
  • HashiCorp Nomad
  • Kubernetes
  • Red Hat Openstack
  • VMware
Connect Microservices
  • Containers
  • Monoliths
  • Serverless Functions
Serverless Integrations
  • AWS Lambda
  • Azure Functions
  • Google Functions
Security Integrations
  • HashiCorp Vault
  • Let’s Encrypt
  • Open Policy Agent (OPA)
Service Mesh
Service Mesh Integrations
  • AWS App Mesh
  • Gloo Mesh
  • HashiCorp Consul
  • Istio
  • Linkerd
GraphQL Integration
  • Lifecycle
  • Security
  • Reliability
  • Scalability
  • Observability

    ParkMobile partnered with Solo.io because we were looking for the most innovative and flexible solutions on the market to power our growing platform. With over 16 million users of our application and a complex ecosystem of integrations, ParkMobile relies on Gloo Gateway and the supporting product suite for best-in-class API gateway and hybrid application communications that also adds in the power of monitoring and security to ensure peak performance of our platform at all times.

    Matt Ball
    CTO, ParkMobile
  • Gameforge@

    Gameforge wanted to find new ways to optimise how our players access the 500+ servers for our online, browser-based, and mobile games. Gloo Gateway as an API gateway combines perfectly with our Kubernetes clusters to prepare our technology stack for future challenges. Gloo Gateway fulfilled all our requirements, including custom resources (CRDs), dynamic routing with JSON Web Tokens (JWT), and integration with Grafana.

    Hannes Anders
    CTO, Gameforge
  • As we look to break out our monolithic backend and deploy new microservices into Kubernetes, we needed a highly scalable API Gateway to not only aggregate the microservices into a coherent API, but remove duplication from within these microservices by centralizing features such as authentication and rate limiting. The configuration of Gloo Gateway via CRDs is a major advantage for our Infrastructure team and fits within our existing GitOps workflow.

    Jon Walton
    DevOps architect