Cilium networking in Istio with Gloo Mesh Get started now

Exit Icon

Gloo Mesh Gateway, an add-on module for Gloo Mesh Enterprise, is a full-featured API gateway, built on Istio, for managing ingress and egress traffic to Kubernetes, VMs, and serverless functions.

An Istio-native API gateway for traffic ingress to microservices

Gloo Mesh Gateway provides a unified control plane for both edge and service mesh use cases, reducing management complexity for consistent applications/microservices connectivity policies, certs, and more.

It offers all the capabilities of Gloo Edge such as integrated security (web application firewall, data loss prevention, mTLS encryption, authentication, and authorization), North-South rate limiting, WebAssembly (Wasm) extensibility, SOAP/XSLT transforms, and more.

Gloo Mesh Gateway inherits and incorporates all the strengths of our Envoy Proxy-based Gloo Edge product, making it a mature offering immediately.


Filter incoming application requests and route them to the appropriate upstream resources with advanced policies for security and reliability


Eliminate the complexity and hassle of having distinct, redundant control planes for your API gateways and service meshes


Manage policies, certs, and behavior uniformly across your environments for easier administration and reduce risk of configuration errors or security gaps

Now GA - Gloo Mesh Gateway version 1.0

“As users of the Gloo Edge Enterprise offering, we are looking forward to having the complexity of an Istio service mesh abstracted in one control plane combined with our current Gloo Edge gateway,” said Gert-Jan Groeninckx, DevOps team lead at Waylay.”


What does Gloo Mesh Gateway do?

Istio-based north-south API gateway to govern and manage requests for services

How It Works

Gloo Mesh Gateway can be deployed in either a Layered Gateway configuration or a Virtual Gateway configuration depending on the requirements of your network architecture.

  • Layered Gateway
  • Virtual Gateway

In a Layered Gateway configuration, an Application Edge Gateway is configured to control and secure access to different container clusters and VMs in your environment.

This enables different traffic management, security policy and resiliency configurations to be applied at different layers in your application network.

In a Virtual Gateway configuration, multiple API gateways create a “virtual” destination eliminating any single points of failure and reduce network latency.

The virtual gateway provides a single configuration point but is implemented as a decentralized API gateway. The virtual gateway can also be implemented across containers, VMs and hybrid services.

Feature Comparisons

Compare Gloo Mesh editions and basic open source Istio.


Gloo Mesh Enterprise


Gloo Mesh Open Source


Basic Open Source Istio

TLS/mTLS encryption
Provides end-to-end encryption to protect data in motion between end points
Multi-tenancy and isolation
Lets service meshes share resources securely
Federated trust domains
Safely authenticate users and applications across environments
Federated role-based access control and delegation
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Safe handling of signing cert and Root rotation
Manage and execute SSL certificates from a centralized platform
Multi-cluster observability metrics/graph
Provides complete observability and auditability of all activity across the system
FIPS (140-2) compliant
Validated to meet strict security standards
Secure configuration model for cluster relay
Safely shares configurations across the system
Secrets integration (with Kubernetes & HashiCorp Vault)
Manages sensitive credentials like passwords, tokens, and keys
OIDC/Oauth 2.0 flows
Manages authentication of users and applications
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
External Authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Multi-cluster dynamic routing
Handle exceptions and issues in connections gracefully
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Priority failover routing
Defines in which order alternate resources should receive re-directed traffic in the event of a service outage
No-interruption updates
Rolls out new configurations and policies without requiring restarts or pausing operations
Published SLAs
Provide assurance that issues are responded to in a timely manner
Dynamic scaling to thousands of nodes
Robustly manages regular and unexpected variations and spikes in workloads
Simple global service naming
Use consistent naming across all clusters
Health checks
Confirm that the system is operating as expected
Advanced rate limiting
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Distributed tracing (integration with Jaeger)
Facilitates root cause analysis of issues across the system
Multi-cluster security policies
Implement consistently across all environments to avoid exposure or risk of errors
Multi-version compatibility
Enables running different versions of Istio together so you can upgrade at will
Multi-mesh support
Gives you the ability to operate and manage heterogeneous multiple service meshes together
Multi-cluster observability (including Prometheus and Grafana)
Collects system metrics in custom graphs to monitor and troubleshoot, and auditing for investigation
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Global service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
Simplified API
Makes it easier to configure and use Istio and Envoy Proxy
Long-term version support
Covers releases of Istio and Envoy for at least a year so you can upgrade on your schedule
N-4 version patching & back-porting
Fixes bugs and security issues in current and four previous releases of Istio and Envoy
Expert help on Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Federated multi-cluster operations & policies
Manage, push configurations, and observe across clusters and even hybrid and multi-cloud deployments
Global service routing
Directs application connections across any environment for choice and reliability
Locality-aware load balancing
Manages routing of workloads across distributed resources to achieve best performance and results
Support for ARM processors
Operates efficiently on high performance processors for compute
Virtual machines (VMs) support
Enables connections to VMs alongside containers and serverless upstream resources
Your choice of cloud & on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Shape, shift, & transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
Manage applications and operations on-demand
Upstream Istio
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream Envoy Proxy (managed by Istio)
Enhances the popular open source project as a solid foundation for future-proof innovation
Kubernetes-native, pluggable
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Hybrid and multi-cloud support
Manage services running anywhere
Multi-cluster WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control
Want design, security, or operations help?
Get a personalized product tour
Curious about the cost and support?