- Product
- Gloo Modules
- Gloo Mesh Gateway
Gloo Mesh Gateway, an add-on module for Gloo Mesh Enterprise, is a full-featured API gateway, built on Istio, for managing ingress and egress traffic to Kubernetes, VMs, and serverless functions.
An Istio-native API gateway for traffic ingress to microservices
Gloo Mesh Gateway provides a unified control plane for both edge and service mesh use cases, reducing management complexity for consistent applications/microservices connectivity policies, certs, and more.
It offers all the capabilities of Gloo Edge such as integrated security (web application firewall, data loss prevention, mTLS encryption, authentication, and authorization), North-South rate limiting, WebAssembly (Wasm) extensibility, SOAP/XSLT transforms, and more.
Gloo Mesh Gateway inherits and incorporates all the strengths of our Envoy Proxy-based Gloo Edge product, making it a mature offering immediately.
MANAGE API CONNECTIVITY AT THE EDGE
Filter incoming application requests and route them to the appropriate upstream resources with advanced policies for security and reliability
TAKE CONTROL OF YOUR CONTROL PLANE
Eliminate the complexity and hassle of having distinct, redundant control planes for your API gateways and service meshes
UNIFY POLICIES FOR CONSISTENCY
Manage policies, certs, and behavior uniformly across your environments for easier administration and reduce risk of configuration errors or security gaps
Now GA - Gloo Mesh Gateway version 1.0
“As users of the Gloo Edge Enterprise offering, we are looking forward to having the complexity of an Istio service mesh abstracted in one control plane combined with our current Gloo Edge gateway,” said Gert-Jan Groeninckx, DevOps team lead at Waylay.”
REQUEST A TRIAL READ THE BLOGWhat does Gloo Mesh Gateway do?
Istio-based north-south API gateway to govern and manage requests for services
Certificate management and rotation
Integrate with Identity & Access Management systems to leverage existing security policies
Enforce authentication, authorization, and encryption including mTLS
Manage request routing, rate-limiting, load balancing, circuit breaking and failover traffic based on locality and affinity rules
Protect against attacks with a built-in web application firewall (WAF)
Guard against sensitive info breaches with data loss prevention (DLP)
Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
Transformations filter / SOAP
How It Works
Gloo Mesh Gateway can be deployed in either a Layered Gateway configuration or a Virtual Gateway configuration depending on the requirements of your network architecture.
In a Layered Gateway configuration, an Application Edge Gateway is configured to control and secure access to different container clusters and VMs in your environment.
This enables different traffic management, security policy and resiliency configurations to be applied at different layers in your application network.
In a Virtual Gateway configuration, multiple API gateways create a “virtual” destination eliminating any single points of failure and reduce network latency.
The virtual gateway provides a single configuration point but is implemented as a decentralized API gateway. The virtual gateway can also be implemented across containers, VMs and hybrid services.
Feature ComparisonsCompare Gloo Mesh editions and basic open source Istio. DOWNLOAD COMPARISON SHEET > > |
Basic Open Source Istio |
|---|
Secure
TLS/mTLS encryptionProvides end-to-end encryption to protect data in motion between end points
|
|||
Multi-tenancy and isolationLets service meshes share resources securely
|
|||
Federated trust domainsSafely authenticate users and applications across environments
|
|||
Federated role-based access control and delegationGrants permissions to users appropriate to their responsibility and applies them consistently everywhere
|
|||
Safe handling of signing cert and Root rotationManage and execute SSL certificates from a centralized platform
|
|||
Multi-cluster observability metrics/graphProvides complete observability and auditability of all activity across the system
|
|||
FIPS (140-2) compliantValidated to meet strict security standards
|
|||
Secure configuration model for cluster relaySafely shares configurations across the system
|
|||
Secrets integration (with Kubernetes & HashiCorp Vault)Manages sensitive credentials like passwords, tokens, and keys
|
|||
OIDC/Oauth 2.0 flowsManages authentication of users and applications
|
|||
Built-in web application firewall (WAF)Open source ModSecurity screens traffic for threats and stops attacks
|
|||
Data loss prevention (DLP)Monitors for data breaches or exfiltration to prevent data loss and data leaks
|
|||
External AuthenticationIntegrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
|
|||
Open Policy Agent (OPA) for authorizationDefines service API policies as code
|
|||
Vulnerability scanning and publicationsFinds, addresses, and alerts on weaknesses in the system
|
Reliable
Multi-cluster dynamic routingHandle exceptions and issues in connections gracefully
|
Limited
|
||
Retries, circuit breaker, timeoutsHandle exceptions and issues in connections gracefully
|
|||
Priority failover routingDefines in which order alternate resources should receive re-directed traffic in the event of a service outage
|
|||
No-interruption updatesRolls out new configurations and policies without requiring restarts or pausing operations
|
|||
Published SLAsProvide assurance that issues are responded to in a timely manner
|
|||
Dynamic scaling to thousands of nodesRobustly manages regular and unexpected variations and spikes in workloads
|
|||
Simple global service namingUse consistent naming across all clusters
|
|||
Health checksConfirm that the system is operating as expected
|
|||
Advanced rate limitingDefine custom policies to handle more complex situations
|
|||
Configuration validationMakes sure that the system is deployed and defined correctly
|
Unified
Distributed tracing (integration with Jaeger)Facilitates root cause analysis of issues across the system
|
|||
Multi-cluster security policiesImplement consistently across all environments to avoid exposure or risk of errors
|
|||
Multi-version compatibilityEnables running different versions of Istio together so you can upgrade at will
|
|||
Multi-mesh supportGives you the ability to operate and manage heterogeneous multiple service meshes together
|
|||
Multi-cluster observability (including Prometheus and Grafana)Collects system metrics in custom graphs to monitor and troubleshoot, and auditing for investigation
|
|||
Cross-origin resource sharing (CORS)Set policies for and pre-verifies which origins are allowed to connect to specified resources
|
|||
Global service discoveryFinds and defines upstream resources (applications/microservices) that can be targets for connections
|
|||
Admin dashboard GUI with multi-cluster viewsGives centralized observability and control of the whole system
|
|||
Gloo Developer Portal (API mgmt)Enables publishing, sharing, GitOps calling, and monetization of defined APIs
|
Easy
Simplified APIMakes it easier to configure and use Istio and Envoy Proxy
|
|||
Long-term version supportCovers releases of Istio and Envoy for at least a year so you can upgrade on your schedule
|
|||
N-4 version patching & back-portingFixes bugs and security issues in current and four previous releases of Istio and Envoy
|
|||
Expert help on SlackFor fast response to all your questions by an active public community and Solo engineers worldwide
|
|||
Enterprise supportHelps quickly resolve issues in production environments via Slack, email, and phone
|
|||
Federated multi-cluster operations & policiesManage, push configurations, and observe across clusters and even hybrid and multi-cloud deployments
|
Comprehensive
Global service routingDirects application connections across any environment for choice and reliability
|
|||
Locality-aware load balancingManages routing of workloads across distributed resources to achieve best performance and results
|
|||
Support for ARM processorsOperates efficiently on high performance processors for compute
|
|||
Virtual machines (VMs) supportEnables connections to VMs alongside containers and serverless upstream resources
|
|||
Your choice of cloud & on-premises environmentsLets you run consistently anywhere you choose to operate your applications
|
|||
Serverless functions integrationEnables connections to AWS Lambda alongside containers and other upstream resources
|
|||
Shape, shift, & transform trafficTo define exactly how you want requests to be processed and presented, and connect to diverse protocols
|
|||
Simple object access protocol (SOAP) transformsTie in XML messaging protocols for legacy applications
|
|||
GitOpsManage applications and operations on-demand
|
Modern & Open
Upstream IstioEnhances the popular open source project as a solid foundation for future-proof innovation
|
|||
Upstream Envoy Proxy (managed by Istio)Enhances the popular open source project as a solid foundation for future-proof innovation
|
|||
Kubernetes-native, pluggableDesigned to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
|
|||
Hybrid and multi-cloud supportManage services running anywhere
|
|||
Multi-cluster WebAssembly (Wasm)Provides the ability to define extensible custom filters for security and control
|
