Enterprise Istio with multi-cluster and hybrid cloud management

Gloo Mesh Enterprise delivers a simplified and unified experience for ensuring connectivity, security, observability and reliability for Kubernetes, VMs, and microservices applications, and the support and guidance you need to deploy and operate Istio.

Gloo Mesh Istio service mesh management dashboard

Introducing Gloo Mesh Enterprise 1.1 and Gloo Mesh Gateway

Gloo Mesh 1.1 introduces the new Gloo Mesh Gateway (built on Istio), improved security with certificate management, ingress gateway discovery, improved observability, and extended N-4 version long-term enterprise support for Istio.

Request Trial Read the launch blog

How Gloo Mesh helps you

Gloo Mesh is an Istio-based service mesh and control plane that simplifies and unifies the configuration, operation and visibility of the service-to-service connectivity within distributed applications.

  • Istio lifecycle
    & Support
  • Federated multi-cluster
    & hybrid-cloud
  • Multi-tenancy
    and Self-service
  • Zero Trust
  • Extensibility

Comprehensive Istio and Envoy lifecycle management including installation/upgrade, inventory, and health checks for Greenfield and brownfield environments.
  • Enhanced distributions of upstream open-source Istio and Envoy Proxy
    • FIPS 140-2 ready builds
    • ARM processor support
  • Simplified, centralized Istio and Envoy management
    • Easy deployment via Kubernetes tooling
    • Configuration via Custom Resource Definitions (CRDs)
    • Seamlessly and safely upgrade your environment with no-interruption upgrades and policy changes
  • Production Support
    • N-4 version long term support (LTS) with SLAs
    • N-4 version backporting of patches and security fixes
Discover, connect, secure, encrypt, observe and troubleshoot application traffic within clusters, across clusters, clouds and hybrid-cloud environments from a single management plane.
  • Automated service discovery for applications/resources
    • Global portal with self-service API catalog and management
  • Global traffic routing, load balancing, and locality-aware failover
    • Global service naming
    • Intelligent/context-aware routing to optimize
    • Federated cross-cluster policies, config, and awareness
  • Multi-mesh observability with aggregated metrics
    • Centralized admin dashboard
    • Easy integration with Prometheus, Grafana, and other popular tools
  • Works with all major environments
    • Hybrid workloads: cloud-native, VMs and legacy applications
    • AWS, Azure, Google, Red Hat, VMware, and on-premises
Create self-service ‘workspaces’ by delegating ownership of service mesh API access, configuration, and policy to different roles including developers, SREs, operations, and sys admins.
  • Enable agility without sacrificing control by delegating API access, configuration, and policy to different roles
    • Create team-centric operations consoles
    • Control access with role-based access control (RBAC)
    • Create team workspaces (workspaces-as-a-service)
  • GitOps workflows and CI/CD integration
    • CRD driven and works flawlessly with existing GitOps processes
    • Tie-into your GitOps approval process, including rollback and delegation
    • Enhanced observability, distributed tracing, and debugging
  • Self-service developer portal for publishing, sharing, and tracking APIs
    • Empower development teams to manage and share their APIs
    • Catalog, publish, and securely share APIs via a self-service portal
    • Communicatie authentication/authorization, usage plans and policies
    • CRD-driven, no database required
    • Track API usage for show-back and charge-back
Easily implement a Zero Trust security model across all your application traffic patterns — ingress (external client to the application), in-cluster (service-to-service), and egress (application to external client)
  • Unified security controls for consistent organization-wide enforcement
    • Fine-grained point-to-point security
  • Identity and access management for users, applications, and microservices
    • Extensible authentication and authorization
    • Plugins with OAuth, etc.
  • Comprehensive security built-in
    • Encrypted communications with mutual transport-layer security (mTLS)
    • Certificate management and rotation for mTLS, encryption, and authentication
    • Web application firewall (WAF) based on ModSecurity
    • Data loss prevention (DLP) filters
    • FIPS 140-2 ready builds
Customize APIs with out-of-the-box extensions, create custom filters and protocol transformations or utilize pre-built integrations.
  • Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
  • Tailor pre-built filters for Web Application Firewall (WAF), Data Loss Prevention (DLP) and Request and Response Transition
  • Integrated WebAssembly support enables customization of Envoy proxies with custom filters written in any language
    • Build custom filters using multiple languages
    • Dynamically update Envoy without restarts
    • Comprehensive process to build, push, share APIs with WebAssembly Hub
  • Connect to legacy applications via SOAP/XSLT
    • Use XSLT (Extensible Stylesheet Language Transformations) to modernize SOAP/XML clients and endpoints
    • Utilizes high performance architecture with XSLT engine embedded into Envoy
  • gRPC - Define, connect, and scale services across platforms
  • Support for serverless functions
    • Integrate containerized applications and AWS Lambda

How It Works

Gloo Mesh manages your service mesh, including API gateways for Ingress and the application edge.

Istio-based north-south API gateway to govern and manage requests for services
  • Certificate management and rotation
    • Integrate with Identity & Access Management systems to leverage existing security policies
      • Enforce authentication, authorization, and encryption including mTLS
        • Manage request routing, rate-limiting, load balancing, circuit breaking and failover traffic based on locality and affinity rules
          • Protect against attacks with a built-in web application firewall (WAF)
            • Guard against sensitive info breaches with data loss prevention (DLP)
              • Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
                • Transformations filter / SOAP
                  Manage cluster ingress (and egress) for Kubernetes clusters, VMs, and legacy applications:
                  • FIPS-ready Istio-based service mesh
                    • Automated Service and API Discovery
                      • Enforce zero-trust security with authentication, authorization, and encryption
                        • Apply custom policies to route, filter, and transform L4 and L7 traffic
                          • Manage retries, timeouts, and circuit breakers
                            • Load balance and failover traffic based on locality and affinity rules
                              • Guard against sensitive info breaches with data loss prevention
                                • Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
                                  Extend and customize your API infrastructure with tooling for WebAssembly, plugins, and operators
                                  • Delegate authentication using OpenID Connect
                                    • Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
                                      • Extend Envoy Proxy capabilities with pre-built extensions including:
                                        • Web Application Firewall (WAF)
                                        • Data Lost Prevention (DLP)
                                        • AWS Lambda
                                        • Request and Response Transition
                                        • SOAP
                                      • Create custom Envoy Proxy filters with Web Assembly (Wasm)
                                        Catalog, publish, and securely share APIs via a self-service portal
                                        • CRD driven and works flawlessly with existing GitOps and CI/CD processes
                                          • Accelerate developer onboarding with self-service documentation, and self-service sign up
                                            • Manage gRPC APIs and REST APIs in the same developer portal
                                              • Upload existing OpenAPI and proto documents to build the catalog
                                                • Communicatie authentication/authorization, usage plans and policies
                                                  • Showback, chargeback, and usage tracking of APIs
                                                    • Supports REST and gRPC APIs
                                                      • No database required
                                                        Gloo Mesh provides a Kubernetes-native management plane, an enhanced Istio distribution, and enhancements to Envoy Proxy delivering API gateway and service mesh capabilities.

                                                        Key Capabilities Include:
                                                        • Istio Lifecycle Management
                                                          • Security
                                                            • Traffic Management
                                                              • Global Routing & Failover
                                                                • Policy Management
                                                                  • Global Service Discovery
                                                                    • Multi-tenacy & RBAC
                                                                      • Extensibility
                                                                        • Multi-cluster Observability
                                                                          • Multi-cluster Operations

                                                                            Feature Comparisons

                                                                            Compare Gloo Mesh editions and basic open source Istio.

                                                                            Download Comparison Sheet >

                                                                            Gloo Mesh Enterprise

                                                                            Request Trial

                                                                            Gloo Mesh
                                                                            Open Source


                                                                            Basic Open Source Istio

                                                                            TLS/mTLS encryption
                                                                            Provides end-to-end encryption to protect data in motion between end points
                                                                            Multi-tenancy and isolation
                                                                            Lets service meshes share resources securely
                                                                            Federated trust domains
                                                                            Safely authenticate users and applications across environments
                                                                            Federated role-based access control and delegation
                                                                            Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
                                                                            Safe handling of signing cert and Root rotation
                                                                            Manage and execute SSL certificates from a centralized platform
                                                                            Multi-cluster observability metrics/graph
                                                                            Provides complete observability and auditability of all activity across the system
                                                                            FIPS (140-2) compliant
                                                                            Validated to meet strict security standards
                                                                            Secure configuration model for cluster relay
                                                                            Safely shares configurations across the system
                                                                            Secrets integration (with Kubernetes & Hashicorp Vault)
                                                                            Manages sensitive credentials like passwords, tokens, and keys
                                                                            OIDC/Oauth 2.0 flows
                                                                            Manages authentication of users and applications
                                                                            Built-in web application firewall (WAF)
                                                                            Open source ModSecurity screens traffic for threats and stops attacks
                                                                            Data loss prevention (DLP)
                                                                            Monitors for data breaches or exfiltration to prevent data loss and data leaks
                                                                            External Authentication
                                                                            Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
                                                                            Open Policy Agent (OPA) for authorization
                                                                            Defines service API policies as code
                                                                            Vulnerability scanning and publications
                                                                            Finds, addresses, and alerts on weaknesses in the system
                                                                            Multi-cluster dynamic routing
                                                                            Steers connections on-the-fly to available resources across clusters as needed
                                                                            Retries, circuit breaker, timeouts
                                                                            Handle exceptions and issues in connections gracefully
                                                                            Priority failover routing
                                                                            Defines in which order alternate resources should receive re-directed traffic in the event of a service outage
                                                                            No-interruption updates
                                                                            Rolls out new configurations and policies without requiring restarts or pausing operations
                                                                            Published SLAs
                                                                            Provide assurance that issues are responded to in a timely manner
                                                                            Dynamic scaling to thousands of nodes
                                                                            Robustly manages regular and unexpected variations and spikes in workloads
                                                                            Simplified Global-Service Naming
                                                                            Use consistent naming across all clusters
                                                                            Health checks
                                                                            Confirm that the system is operating as expected
                                                                            Advanced rate limiting
                                                                            Define custom policies to handle more complex situations
                                                                            Configuration validation
                                                                            Makes sure that the system is deployed and defined correctly
                                                                            Distributed tracing (integration with Jaeger)
                                                                            Facilitates root cause analysis of issues across the system
                                                                            Multi-cluster security policies
                                                                            Implement consistently across all environments to avoid exposure or risk of errors
                                                                            Multi-version compatibility
                                                                            Enables running different versions of Istio together so you can upgrade at will
                                                                            Multi-mesh support
                                                                            Gives you the ability to operate and manage heterogeneous multiple service meshes together
                                                                            Multi-cluster observability (including Prometheus and Grafana)
                                                                            Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation
                                                                            Displays system metrics in user-friendly graphs and enables building custom dashboards
                                                                            Cross-origin resource sharing (CORS)
                                                                            Set policies for and pre-verifies which origins are allowed to connect to specified resources
                                                                            Global service discovery
                                                                            Finds and defines upstream resources (applications/microservices) that can be targets for connections
                                                                            Admin dashboard GUI with multi-cluster views
                                                                            Gives centralized observability and control of the whole system
                                                                            Gloo Developer Portal (API mgmt)
                                                                            Enables publishing, sharing, GitOps calling, and monetization of defined APIs
                                                                            Simplified API
                                                                            Makes it easier to configure and use Istio and Envoy Proxy
                                                                            Long-term version support
                                                                            Covers releases of Istio and Envoy for at least a year so you can upgrade on your schedule
                                                                            N-4 version patching & back-porting
                                                                            Fixes bugs and security issues in current and four previous releases of Istio and Envoy
                                                                            Expert help on Slack
                                                                            For fast response to all your questions by an active public community and Solo engineers worldwide
                                                                            Enterprise support
                                                                            Helps quickly resolve issues in production environments via Slack, email, and phone
                                                                            Federated multi-cluster operations & policies
                                                                            Manage, push configurations, and observe across clusters and even hybrid and multi-cloud deployments
                                                                            Global service routing
                                                                            Directs application connections across any environment for choice and reliability
                                                                            Locality-aware load balancing
                                                                            Manages routing of workloads across distributed resources to achieve best performance and results
                                                                            Support for ARM processors
                                                                            Operates efficiently on high performance processors for compute
                                                                            Virtual machines (VMs) support
                                                                            Enables connections to VMs alongside containers and serverless upstream resources
                                                                            Your choice of cloud & on-premises environments
                                                                            Lets you run consistently anywhere you choose to operate your applications
                                                                            Serverless functions integration
                                                                            Enables connections to AWS Lambda alongside containers and other upstream resources
                                                                            Shape, shift, & transform traffic
                                                                            To define exactly how you want requests to be processed and presented, and connect to diverse protocols
                                                                            Simple object access protocol (SOAP) transforms
                                                                            Tie in XML messaging protocols for legacy applications
                                                                            Manage applications and operations on-demand
                                                                            Upstream Istio
                                                                            Enhances the popular open source project as a solid foundation for future-proof innovation
                                                                            Upstream Envoy Proxy (managed by istio
                                                                            Enhances the popular open source project as a solid foundation for future-proof innovation
                                                                            Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
                                                                            Hybrid and multi-cloud support
                                                                            Manage services running anywhere
                                                                            Multi-cluster WebAssembly (Wasm)
                                                                            Provides the ability to define extensible custom filters for security and control

                                                                            Gloo Portal is now included with Gloo Mesh Enterprise

                                                                            Gloo Mesh Enterprise now includes a multi-cluster, Istio-based developer portal

                                                                            Read the BlogMore Details

                                                                            Gloo Mesh Gateway is now available with Gloo Mesh Enterprise

                                                                            Gloo Mesh Gateway is an Istio-based API gateway to manage North-South traffic

                                                                            Read the BlogMore Details

                                                                            Use Cases

                                                                            API Gateway Integration

                                                                            Easily integrate traffic management into (north/south) and within (east/west) your cluster. Gloo Mesh integrates with the Gloo Edge API Gateway for end to end security, encryption and traffic control of your application traffic.
                                                                            Learn More

                                                                            Multi Cluster Management

                                                                            Streamline management of your mesh across different clusters in your environment and across the software delivery lifecycle. Avoid issues of potential misconfigurations and manage multiple clusters consistently with a unified dashboard.
                                                                            Learn More


                                                                            Get the freedom to choose any service mesh today and tomorrow on any infrastructure, and operate them together from a unified dashboard. Group disparate meshes into a single flat network and operate them as a single logical mesh.
                                                                            Learn More

                                                                            Request a Live Demo

                                                                            See Gloo Mesh in action

                                                                            Request Demo

                                                                            See A Recorded Demo

                                                                            Tour key features of Gloo Mesh

                                                                            Watch Now

                                                                            Get Started Now

                                                                            Read the docs

                                                                            Get Started

                                                                            Solo was an early adopter building the Gloo API gateway on Envoy. Then as Istio has matured and customer demand for it grows, it’s great to see Gloo Mesh Enterprise offer an Istio-powered service mesh and solve problems for customers running in multiple clusters.

                                                                            Craig Box Cloud Native Advocacy Lead, Google Cloud