Enterprise Istio with multi-cluster and hybrid cloud management
Gloo Mesh Enterprise delivers a simplified and unified experience for ensuring connectivity, security, observability and reliability for Kubernetes, VMs, and microservices applications, and the support and guidance you need to deploy and operate Istio.
Introducing Gloo Mesh Enterprise 1.1 and Gloo Mesh Gateway
Gloo Mesh 1.1 introduces the new Gloo Mesh Gateway (built on Istio), improved security with certificate management, ingress gateway discovery, improved observability, and extended N-4 version long-term enterprise support for Istio.
Request Trial Read the launch blogHow Gloo Mesh helps you
Gloo Mesh is an Istio-based service mesh and control plane that simplifies and unifies the configuration, operation and visibility of the service-to-service connectivity within distributed applications.
Comprehensive Istio and Envoy lifecycle management including installation/upgrade, inventory, and health checks for Greenfield and brownfield environments.
- Enhanced distributions of upstream open-source Istio and Envoy Proxy
- FIPS 140-2 ready builds
- ARM processor support
- Simplified, centralized Istio and Envoy management
- Easy deployment via Kubernetes tooling
- Configuration via Custom Resource Definitions (CRDs)
- Seamlessly and safely upgrade your environment with no-interruption upgrades and policy changes
- Production Support
- N-4 version long term support (LTS) with SLAs
- N-4 version backporting of patches and security fixes
Discover, connect, secure, encrypt, observe and troubleshoot application traffic within clusters, across clusters, clouds and hybrid-cloud environments from a single management plane.
- Automated service discovery for applications/resources
- Global portal with self-service API catalog and management
- Global traffic routing, load balancing, and locality-aware failover
- Global service naming
- Intelligent/context-aware routing to optimize
- Federated cross-cluster policies, config, and awareness
- Multi-mesh observability with aggregated metrics
- Centralized admin dashboard
- Easy integration with Prometheus, Grafana, and other popular tools
- Works with all major environments
- Hybrid workloads: cloud-native, VMs and legacy applications
- AWS, Azure, Google, Red Hat, VMware, and on-premises
Create self-service ‘workspaces’ by delegating ownership of service mesh API access, configuration, and policy to different roles including developers, SREs, operations, and sys admins.
- Enable agility without sacrificing control by delegating API access, configuration, and policy to different roles
- Create team-centric operations consoles
- Control access with role-based access control (RBAC)
- Create team workspaces (workspaces-as-a-service)
- GitOps workflows and CI/CD integration
- CRD driven and works flawlessly with existing GitOps processes
- Tie-into your GitOps approval process, including rollback and delegation
- Enhanced observability, distributed tracing, and debugging
- Self-service developer portal for publishing, sharing, and tracking APIs
- Empower development teams to manage and share their APIs
- Catalog, publish, and securely share APIs via a self-service portal
- Communicatie authentication/authorization, usage plans and policies
- CRD-driven, no database required
- Track API usage for show-back and charge-back
Easily implement a Zero Trust security model across all your application traffic patterns — ingress (external client to the application), in-cluster (service-to-service), and egress (application to external client)
- Unified security controls for consistent organization-wide enforcement
- Fine-grained point-to-point security
- Identity and access management for users, applications, and microservices
- Extensible authentication and authorization
- Plugins with OAuth, etc.
- Comprehensive security built-in
- Encrypted communications with mutual transport-layer security (mTLS)
- Certificate management and rotation for mTLS, encryption, and authentication
- Web application firewall (WAF) based on ModSecurity
- Data loss prevention (DLP) filters
- FIPS 140-2 ready builds
Customize APIs with out-of-the-box extensions, create custom filters and protocol transformations or utilize pre-built integrations.
- Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
- Tailor pre-built filters for Web Application Firewall (WAF), Data Loss Prevention (DLP) and Request and Response Transition
- Integrated WebAssembly support enables customization of Envoy proxies with custom filters written in any language
- Build custom filters using multiple languages
- Dynamically update Envoy without restarts
- Comprehensive process to build, push, share APIs with WebAssembly Hub
- Connect to legacy applications via SOAP/XSLT
- Use XSLT (Extensible Stylesheet Language Transformations) to modernize SOAP/XML clients and endpoints
- Utilizes high performance architecture with XSLT engine embedded into Envoy
- gRPC - Define, connect, and scale services across platforms
- Support for serverless functions
- Integrate containerized applications and AWS Lambda
How It Works
Gloo Mesh manages your service mesh, including API gateways for Ingress and the application edge.
1Gloo Mesh Gateway
1
Istio-based north-south API gateway to govern and manage requests for services
- Certificate management and rotation
- Integrate with Identity & Access Management systems to leverage existing security policies
- Enforce authentication, authorization, and encryption including mTLS
- Manage request routing, rate-limiting, load balancing, circuit breaking and failover traffic based on locality and affinity rules
- Protect against attacks with a built-in web application firewall (WAF)
- Guard against sensitive info breaches with data loss prevention (DLP)
- Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
- Transformations filter / SOAP
2Gloo Mesh Core
2
Manage cluster ingress (and egress) for Kubernetes clusters, VMs, and legacy applications:
- FIPS-ready Istio-based service mesh
- Automated Service and API Discovery
- Enforce zero-trust security with authentication, authorization, and encryption
- Apply custom policies to route, filter, and transform L4 and L7 traffic
- Manage retries, timeouts, and circuit breakers
- Load balance and failover traffic based on locality and affinity rules
- Guard against sensitive info breaches with data loss prevention
- Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
3Gloo Mesh Extensions
3
Extend and customize your API infrastructure with tooling for WebAssembly, plugins, and operators
- Delegate authentication using OpenID Connect
- Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
- Extend Envoy Proxy capabilities with pre-built extensions including:
- Web Application Firewall (WAF)
- Data Lost Prevention (DLP)
- AWS Lambda
- Request and Response Transition
- SOAP
- Create custom Envoy Proxy filters with Web Assembly (Wasm)
4Developer Portal
4
Catalog, publish, and securely share APIs via a self-service portal
- CRD driven and works flawlessly with existing GitOps and CI/CD processes
- Accelerate developer onboarding with self-service documentation, and self-service sign up
- Manage gRPC APIs and REST APIs in the same developer portal
- Upload existing OpenAPI and proto documents to build the catalog
- Communicatie authentication/authorization, usage plans and policies
- Showback, chargeback, and usage tracking of APIs
- Supports REST and gRPC APIs
- No database required
Gloo Mesh provides a Kubernetes-native management plane, an enhanced Istio distribution, and enhancements to Envoy Proxy delivering API gateway and service mesh capabilities.
Key Capabilities Include:
- Istio Lifecycle Management
- Security
- Traffic Management
- Global Routing & Failover
- Policy Management
- Global Service Discovery
- Multi-tenacy & RBAC
- Extensibility
- Multi-cluster Observability
- Multi-cluster Operations
Feature ComparisonsCompare Gloo Mesh editions and basic open source Istio. Download Comparison Sheet > |  Basic Open Source Istio |
|---|
Secure
TLS/mTLS encryptionProvides end-to-end encryption to protect data in motion between end points | |||
Multi-tenancy and isolationLets service meshes share resources securely | |||
Federated trust domainsSafely authenticate users and applications across environments | |||
Federated role-based access control and delegationGrants permissions to users appropriate to their responsibility and applies them consistently everywhere | |||
Safe handling of signing cert and Root rotationManage and execute SSL certificates from a centralized platform | |||
Multi-cluster observability metrics/graphProvides complete observability and auditability of all activity across the system | |||
FIPS (140-2) compliantValidated to meet strict security standards | |||
Secure configuration model for cluster relaySafely shares configurations across the system | |||
Secrets integration (with Kubernetes & Hashicorp Vault)Manages sensitive credentials like passwords, tokens, and keys | |||
OIDC/Oauth 2.0 flowsManages authentication of users and applications | |||
Built-in web application firewall (WAF)Open source ModSecurity screens traffic for threats and stops attacks | |||
Data loss prevention (DLP)Monitors for data breaches or exfiltration to prevent data loss and data leaks | |||
External AuthenticationIntegrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services | |||
Open Policy Agent (OPA) for authorizationDefines service API policies as code | |||
Vulnerability scanning and publicationsFinds, addresses, and alerts on weaknesses in the system |
Reliable
Multi-cluster dynamic routingSteers connections on-the-fly to available resources across clusters as needed | Limited | ||
Retries, circuit breaker, timeoutsHandle exceptions and issues in connections gracefully | |||
Priority failover routingDefines in which order alternate resources should receive re-directed traffic in the event of a service outage | |||
No-interruption updatesRolls out new configurations and policies without requiring restarts or pausing operations | |||
Published SLAsProvide assurance that issues are responded to in a timely manner | |||
Dynamic scaling to thousands of nodesRobustly manages regular and unexpected variations and spikes in workloads | |||
Simplified Global-Service NamingUse consistent naming across all clusters | Limited | ||
Health checksConfirm that the system is operating as expected | |||
Advanced rate limitingDefine custom policies to handle more complex situations | |||
Configuration validationMakes sure that the system is deployed and defined correctly |
Unified
Distributed tracing (integration with Jaeger)Facilitates root cause analysis of issues across the system | |||
Multi-cluster security policiesImplement consistently across all environments to avoid exposure or risk of errors | |||
Multi-version compatibilityEnables running different versions of Istio together so you can upgrade at will | |||
Multi-mesh supportGives you the ability to operate and manage heterogeneous multiple service meshes together | |||
Multi-cluster observability (including Prometheus and Grafana)Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation Displays system metrics in user-friendly graphs and enables building custom dashboards | |||
Cross-origin resource sharing (CORS)Set policies for and pre-verifies which origins are allowed to connect to specified resources | |||
Global service discoveryFinds and defines upstream resources (applications/microservices) that can be targets for connections | |||
Admin dashboard GUI with multi-cluster viewsGives centralized observability and control of the whole system | |||
Gloo Developer Portal (API mgmt)Enables publishing, sharing, GitOps calling, and monetization of defined APIs |
Easy
Simplified APIMakes it easier to configure and use Istio and Envoy Proxy | |||
Long-term version supportCovers releases of Istio and Envoy for at least a year so you can upgrade on your schedule | |||
N-4 version patching & back-portingFixes bugs and security issues in current and four previous releases of Istio and Envoy | |||
Expert help on SlackFor fast response to all your questions by an active public community and Solo engineers worldwide | |||
Enterprise supportHelps quickly resolve issues in production environments via Slack, email, and phone | |||
Federated multi-cluster operations & policiesManage, push configurations, and observe across clusters and even hybrid and multi-cloud deployments |
Comprehensive
Global service routingDirects application connections across any environment for choice and reliability | |||
Locality-aware load balancingManages routing of workloads across distributed resources to achieve best performance and results | |||
Support for ARM processorsOperates efficiently on high performance processors for compute | |||
Virtual machines (VMs) supportEnables connections to VMs alongside containers and serverless upstream resources | |||
Your choice of cloud & on-premises environmentsLets you run consistently anywhere you choose to operate your applications | |||
Serverless functions integrationEnables connections to AWS Lambda alongside containers and other upstream resources | |||
Shape, shift, & transform trafficTo define exactly how you want requests to be processed and presented, and connect to diverse protocols | |||
Simple object access protocol (SOAP) transformsTie in XML messaging protocols for legacy applications | |||
GitOpsManage applications and operations on-demand |
Modern & Open
Upstream IstioEnhances the popular open source project as a solid foundation for future-proof innovation | |||
Upstream Envoy Proxy (managed by istioEnhances the popular open source project as a solid foundation for future-proof innovation | |||
Kubernetes-nativeDesigned to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs) | |||
Hybrid and multi-cloud supportManage services running anywhere | |||
Multi-cluster WebAssembly (Wasm)Provides the ability to define extensible custom filters for security and control |
Gloo Portal is now included with Gloo Mesh Enterprise
Gloo Mesh Enterprise now includes a multi-cluster, Istio-based developer portal
Read the BlogMore Details
Gloo Mesh Gateway is now available with Gloo Mesh Enterprise
Gloo Mesh Gateway is an Istio-based API gateway to manage North-South traffic
Read the BlogMore DetailsUse Cases
Solo was an early adopter building the Gloo API gateway on Envoy. Then as Istio has matured and customer demand for it grows, it’s great to see Gloo Mesh Enterprise offer an Istio-powered service mesh and solve problems for customers running in multiple clusters.
Craig Box Cloud Native Advocacy Lead, Google Cloud