Enterprise Istio with multi-cluster and hybrid cloud management

Gloo Mesh Enterprise delivers a simplified and unified experience for ensuring connectivity, security, observability and reliability for Kubernetes, VMs, and microservices applications, and the support and guidance you need to deploy and operate Istio.

GraphQL with Gloo Edge and Gloo Mesh

Solo.io will be releasing GraphQL soon. Learn more about how you can combine GraphQL with Gloo Mesh and Gloo Edge.

Learn More

Introducing Gloo Mesh Enterprise 1.2

Gloo Mesh 1.2 continues to deliver on our promise of building the industry’s most robust, reliable, and easy to manage Istio-based service mesh. To see firsthand the reliability and usability enhancements included, request a product trial today.

Request Trial

How Gloo Mesh helps you

Gloo Mesh is an Istio-based service mesh and control plane that simplifies and unifies the configuration, operation and visibility of the service-to-service connectivity within distributed applications.

  • Istio lifecycle
    and support
  • Federated multi-cluster
    and hybrid-cloud
  • Multi-tenancy
    and self-service
  • Zero trust
  • Extensibility

Comprehensive Istio and Envoy lifecycle management including installation/upgrade, inventory, and health checks for Greenfield and brownfield environments.
  • Enhanced distributions of upstream open-source Istio and Envoy Proxy
    • FIPS 140-2 ready builds
    • ARM processor support
  • Simplified, centralized Istio and Envoy management
    • Easy deployment via Kubernetes tooling
    • Configuration via Custom Resource Definitions (CRDs)
    • Seamlessly and safely upgrade your environment with no-interruption upgrades and policy changes
  • Production Support
    • N-4 version long term support (LTS) with SLAs
    • N-4 version backporting of patches and security fixes
Discover, connect, secure, encrypt, observe and troubleshoot application traffic within clusters, across clusters, clouds and hybrid-cloud environments from a single management plane.
  • Automated service discovery for applications/resources
    • Global portal with self-service API catalog and management
  • Global traffic routing, load balancing, and locality-aware failover
    • Global service naming
    • Intelligent/context-aware routing to optimize reliability
    • Federated cross-cluster policies, config, and awareness
  • Multi-mesh observability with aggregated metrics
    • Centralized admin dashboard
    • Easy integration with Prometheus, Grafana, and other popular tools
  • Works with all major environments
    • Hybrid workloads: cloud-native, VMs and legacy applications
    • AWS, Azure, Google, Red Hat, VMware, and on-premises
Create self-service ‘workspaces’ by delegating ownership of service mesh API access, configuration, and policy to different roles including developers, SREs, operations, and sys admins.
  • Enable agility without sacrificing control by delegating API access, configuration, and policy to different roles
    • Create team-centric operations consoles
    • Control access with role-based access control (RBAC)
    • Create team workspaces (workspaces-as-a-service)
  • GitOps workflows and CI/CD integration
    • CRD driven and works flawlessly with existing GitOps processes
    • Tie-into your GitOps approval process, including rollback and delegation
    • Enhanced observability, distributed tracing, and debugging
  • Self-service developer portal for publishing, sharing, and tracking APIs
    • Empower development teams to manage and share their APIs
    • Catalog, publish, and securely share APIs via a self-service portal
    • Communicatie authentication/authorization, usage plans and policies
    • CRD-driven, no database required
    • Track API usage for show-back and charge-back
Easily implement a Zero Trust security model across all your application traffic patterns — ingress (external client to the application), in-cluster (service-to-service), and egress (application to external client)
  • Unified security controls for consistent organization-wide enforcement
    • Fine-grained point-to-point security
  • Identity and access management for users, applications, and microservices
    • Extensible authentication and authorization
    • Plugins with OAuth, etc.
  • Comprehensive security built-in
    • Encrypted communications with mutual transport-layer security (mTLS)
    • Certificate management and rotation for mTLS, encryption, and authentication
    • Web application firewall (WAF) based on ModSecurity
    • Data loss prevention (DLP) filters
    • FIPS 140-2 ready builds
Customize APIs with out-of-the-box extensions, create custom filters and protocol transformations or utilize pre-built integrations.
  • Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
  • Tailor pre-built filters for Web Application Firewall (WAF), Data Loss Prevention (DLP) and Request and Response Transition
  • Integrated WebAssembly support enables customization of Envoy proxies with custom filters written in any language
    • Build custom filters using multiple languages
    • Dynamically update Envoy without restarts
    • Comprehensive process to build, push, share APIs with WebAssembly Hub
  • Connect to legacy applications via SOAP/XSLT
    • Use XSLT (Extensible Stylesheet Language Transformations) to modernize SOAP/XML clients and endpoints
    • Utilizes high performance architecture with XSLT engine embedded into Envoy
  • gRPC - Define, connect, and scale services across platforms
  • Support for serverless functions
    • Integrate containerized applications and AWS Lambda

How It Works

Gloo Mesh manages your service mesh, including API gateways for Ingress and the application edge.

Istio-based north-south API gateway to govern and manage requests for services
  • Certificate management and rotation
  • Integrate with Identity & Access Management systems to leverage existing security policies
  • Enforce authentication, authorization, and encryption including mTLS
  • Manage request routing, rate-limiting, load balancing, circuit breaking and failover traffic based on locality and affinity rules
  • Protect against attacks with a built-in web application firewall (WAF)
  • Guard against sensitive info breaches with data loss prevention (DLP)
  • Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
  • Transformations filter / SOAP
Manage cluster ingress (and egress) for Kubernetes clusters, VMs, and legacy applications:
  • FIPS-ready Istio-based service mesh
  • Automated Service and API Discovery
  • Enforce zero-trust security with authentication, authorization, and encryption
  • Apply custom policies to route, filter, and transform L4 and L7 traffic
  • Manage retries, timeouts, and circuit breakers
  • Load balance and failover traffic based on locality and affinity rules
  • Guard against sensitive info breaches with data loss prevention
  • Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
Gloo Mesh integrates with GraphQL to enable a secure and scalable approach to querying your APIs directly in your service mesh. Key capabilities include:
  • A unified endpoint to query all your services and data
  • A complete description of the data in an API
  • No need to build separate GraphQL servers or manage libraries
  • Use GraphQL with Gloo Portal for GitOps and CI/CD
Extend and customize your API infrastructure with tooling for WebAssembly, plugins, and operators
  • Delegate authentication using OpenID Connect
  • Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
  • Extend Envoy Proxy capabilities with pre-built extensions including:
    • Web Application Firewall (WAF)
    • Data Lost Prevention (DLP)
    • AWS Lambda
    • Request and Response Transition
    • SOAP
  • Create custom Envoy Proxy filters with Web Assembly (Wasm)
Catalog, publish, and securely share APIs via a self-service portal
  • CRD driven and works flawlessly with existing GitOps and CI/CD processes
  • Accelerate developer onboarding with self-service documentation, and self-service sign up
  • Manage gRPC APIs and REST APIs in the same developer portal
  • Upload existing OpenAPI and proto documents to build the catalog
  • Communicatie authentication/authorization, usage plans and policies
  • Showback, chargeback, and usage tracking of APIs
  • Supports REST and gRPC APIs
  • No database required
Gloo Mesh provides a Kubernetes-native management plane, an enhanced Istio distribution, and enhancements to Envoy Proxy delivering API gateway and service mesh capabilities.

Key Capabilities Include:
  • Istio Lifecycle Management
  • Security
  • Traffic Management
  • Global Routing & Failover
  • Policy Management
  • Global Service Discovery
  • Multi-tenacy & RBAC
  • Extensibility
  • Multi-cluster Observability
  • Multi-cluster Operations

Feature Comparisons

Compare Gloo Mesh editions and basic open source Istio.

Download Comparison Sheet >

Gloo Mesh Enterprise

Request Trial

Gloo Mesh
Open Source


Basic Open Source Istio

TLS/mTLS encryption
Provides end-to-end encryption to protect data in motion between end points
Multi-tenancy and isolation
Lets service meshes share resources securely
Federated trust domains
Safely authenticate users and applications across environments
Federated role-based access control and delegation
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Safe handling of signing cert and Root rotation
Manage and execute SSL certificates from a centralized platform
Multi-cluster observability metrics/graph
Provides complete observability and auditability of all activity across the system
FIPS (140-2) compliant
Validated to meet strict security standards
Secure configuration model for cluster relay
Safely shares configurations across the system
Secrets integration (with Kubernetes & Hashicorp Vault)
Manages sensitive credentials like passwords, tokens, and keys
OIDC/Oauth 2.0 flows
Manages authentication of users and applications
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
External Authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Multi-cluster dynamic routing
Steers connections on-the-fly to available resources across clusters as needed
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Priority failover routing
Defines in which order alternate resources should receive re-directed traffic in the event of a service outage
No-interruption updates
Rolls out new configurations and policies without requiring restarts or pausing operations
Published SLAs
Provide assurance that issues are responded to in a timely manner
Dynamic scaling to thousands of nodes
Robustly manages regular and unexpected variations and spikes in workloads
Simplified Global-Service Naming
Use consistent naming across all clusters
Health checks
Confirm that the system is operating as expected
Advanced rate limiting
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Distributed tracing (integration with Jaeger)
Facilitates root cause analysis of issues across the system
Multi-cluster security policies
Implement consistently across all environments to avoid exposure or risk of errors
Multi-version compatibility
Enables running different versions of Istio together so you can upgrade at will
Multi-mesh support
Gives you the ability to operate and manage heterogeneous multiple service meshes together
Multi-cluster observability (including Prometheus and Grafana)
Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation
Displays system metrics in user-friendly graphs and enables building custom dashboards
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Global service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
Simplified API
Makes it easier to configure and use Istio and Envoy Proxy
Long-term version support
Covers releases of Istio and Envoy for at least a year so you can upgrade on your schedule
N-4 version patching & back-porting
Fixes bugs and security issues in current and four previous releases of Istio and Envoy
Expert help on Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Federated multi-cluster operations & policies
Manage, push configurations, and observe across clusters and even hybrid and multi-cloud deployments
Global service routing
Directs application connections across any environment for choice and reliability
Locality-aware load balancing
Manages routing of workloads across distributed resources to achieve best performance and results
Support for ARM processors
Operates efficiently on high performance processors for compute
Virtual machines (VMs) support
Enables connections to VMs alongside containers and serverless upstream resources
Your choice of cloud & on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Shape, shift, & transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
Manage applications and operations on-demand
Upstream Istio
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream Envoy Proxy (managed by Istio)
Enhances the popular open source project as a solid foundation for future-proof innovation
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Hybrid and multi-cloud support
Manage services running anywhere
Multi-cluster WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control

Gloo Portal is now included with Gloo Mesh Enterprise

Gloo Mesh Enterprise now includes a multi-cluster, Istio-based developer portal

Gloo Mesh Gateway is now available with Gloo Mesh Enterprise

Gloo Mesh Gateway is an Istio-based API gateway to manage North-South traffic

GraphQL (coming soon) for Gloo Mesh Enterprise

Query GraphQL APIs using your Gloo Mesh service mesh

Use Cases

API Gateway Integration

Easily integrate traffic management into (north/south) and within (east/west) your cluster. Gloo Mesh integrates with the Gloo Edge API Gateway for end to end security, encryption and traffic control of your application traffic.
Learn More

Multi Cluster Management

Streamline management of your mesh across different clusters in your environment and across the software delivery lifecycle. Avoid issues of potential misconfigurations and manage multiple clusters consistently with a unified dashboard.
Learn More


Get the freedom to choose any service mesh today and tomorrow on any infrastructure, and operate them together from a unified dashboard. Group disparate meshes into a single flat network and operate them as a single logical mesh.
Learn More

Request a Live Demo

See Gloo Mesh in action

Request Demo

See A Recorded Demo

Tour key features of Gloo Mesh

Watch Now

Video FAQS

Watch a series of short videos about Istio and Gloo Mesh

Watch now

Solo was an early adopter building the Gloo API gateway on Envoy. Then as Istio has matured and customer demand for it grows, it’s great to see Gloo Mesh Enterprise offer an Istio-powered service mesh and solve problems for customers running in multiple clusters.

Craig Box Cloud Native Advocacy Lead, Google Cloud