• Products
  • Gloo Mesh Gateway

An Istio-native API gateway for traffic ingress to microservices

What Is Gloo Mesh Gateway?

Gloo Mesh Gateway is a full-featured API gateway, built on Istio, for managing North-South traffic to Kubernetes, VMs, and serverless functions.

Gloo Mesh Gateway provides a unified, global control plane for both edge and service mesh use cases. It reduces complexity, increases security, increases reliability, and increases observability for consistent applications and microservices connectivity.

It offers all the capabilities of Gloo Edge such as integrated security (web application firewall, data loss prevention, mTLS encryption, authentication, and authorization), North-South rate limiting, WebAssembly (Wasm) extensibility, SOAP/XSLT transforms, and more.

Gloo Mesh Gateway inherits and incorporates all the strengths of our Envoy Proxy-based Gloo Edge product, making it a mature offering immediately.

MANAGE API CONNECTIVITY AT THE EDGE
Filter incoming application requests and route them to the appropriate upstream resources with advanced policies for security and reliability
TAKE CONTROL OF YOUR CONTROL PLANE
Eliminate the complexity and hassle of having distinct, redundant control planes for your API gateways and service meshes
UNIFY POLICIES FOR CONSISTENCY
Manage policies, certs, and behavior uniformly across your environments for easier administration and reduce risk of configuration errors or security gaps

Now GA - Gloo Mesh Gateway version 1.0

“As users of the Gloo Edge Enterprise offering, we are looking forward to having the complexity of an Istio service mesh abstracted in one control plane combined with our current Gloo Edge gateway,” said Gert-Jan Groeninckx, DevOps team lead at Waylay.

Request a Trial Read the blog

What Does Gloo Mesh Gateway Do?

Gloo Mesh is an Istio-based North-South API gateway to govern and manage requests for services

Security certificate management and rotation

Integrate with identity & access management systems to leverage existing security policies

Enforce authentication, authorization, and encryption including mTLS

Manage request routing, rate-limiting, load balancing, circuit breaking and failover traffic based on locality and affinity rules

Protect against attacks with a built-in web application firewall (WAF)

Guard against sensitive info breaches with data loss prevention (DLP)

Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana

Transformations and filters to support SOAP-based legacy applications

How It Works

Gloo Mesh Gateway can be deployed in either a Layered Gateway configuration or a Virtual Gateway configuration depending on the requirements of your network architecture.

  • Layered Gateway
  • Virtual Gateway

In a Layered Gateway configuration, an Application Edge Gateway is configured to control and secure access to different container clusters and VMs in your environment. This enables different traffic management, security policy and resiliency configurations to be applied at different layers in your application network.

In a Virtual Gateway configuration, multiple API gateways create a “virtual” destination eliminating any single points of failure and reduce network latency. The virtual gateway provides a single configuration point but is implemented as a decentralized API gateway. The virtual gateway can also be implemented across containers, VMs and hybrid services.

Feature Comparisons

Istio provides you basic API gateway capabilities. Gloo Mesh Enterprise (Core + Gateway) expands upon those capabilities.

Download Comparison Sheet >

Gloo Mesh Gateway

Request Trial

Basic Open Source Istio

TLS/mTLS encryption
Provides end-to-end encryption to protect data in motion between end points
Multi-tenancy and isolation
Lets service meshes support microservices share resources securely
Federated trust domains
Safely authenticate users and applications across environments
Federated role-based access & delegation
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Safe handling of signing cert and Root rotation
Manage and execute SSL certificates from a centralized platform
Multi-cluster observability metrics/graph
Provides complete observability and auditability of all activity across the system
FIPS (140-2) compliant
Validated to meet strict security standards
Secure configuration model for cluster relay
Safely shares configurations across the system
Secrets integration (with Kubernetes & Hashicorp Vault)
Manages sensitive credentials like passwords, tokens, and keys
OIDC/Oauth 2.0 flows
Manages authentication of users and applications
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
External Authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Multi-cluster dynamic routing
Steers connections on-the-fly to available resources across clusters as needed
Limited
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Priority failover routing
Defines in which order alternate resources should receive re-directed traffic in the event of a service outage
No-interruption updates
Rolls out new configurations and policies without requiring restarts or pausing operations
Published SLAs
Provide assurance that issues are responded to in a timely manner
Dynamic scaling to thousands of nodes
Robustly manages regular and unexpected variations and spikes in workloads
Simplified Global-Service Naming
Use consistent naming across all clusters
Health checks
Confirm that the system is operating as expected
Advanced rate limiting
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Distributed tracing (integration with Jaeger)
Facilitates root cause analysis of issues across the system
Multi-cluster security policies
Implement consistently across all environments to avoid exposure or risk of errors
Multi-version compatibility
Enables running different versions of Istio together so you can upgrade at will
Multi-mesh support
Gives you the ability to operate and manage heterogeneous multiple service meshes together
Multi-cluster observability (including Prometheus and Grafana)
Collects system metrics in custom graphs to monitor and troubleshoot, and auditing for investigation
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Global service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
Simplified API
Makes it easier to configure and use Istio and Envoy Proxy
Long-term version support
Covers releases of Istio and Envoy for at least a year so you can upgrade on your schedule
N-4 Istio version patching/back-porting
Fixes bugs and security issues in current and four previous releases of Istio and Envoy
Expert help via Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Federated multi-cluster operations & policies
Manage, push configurations, and observe across clusters and even hybrid and multi-cloud deployments
Global service routing
Directs application connections across any environment for choice and reliability
Locality-aware load balancing
Manages routing of workloads across distributed resources to achieve best performance and results
Support for ARM processors
Operates efficiently on high performance processors for compute
Virtual machines (VMs) support
Enables connections to VMs alongside containers and serverless upstream resources
Your choice of cloud & on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Shape, shift, & transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
GitOps
Manage applications and operations on-demand
Upstream Istio
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream Envoy Proxy (managed by Istio)
Enhances the popular open source project as a solid foundation for future-proof innovation
Kubernetes-native, pluggable
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Hybrid and multi-cloud support
Manage across any and all environments
Multi-cluster WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control

Request a Live Demo

Take a live tour and ask questions

Request a demo

Watch a recorded demo

See Gloo Mesh Gateway features

Watch the video

Get started

Learn more in the Gloo Mesh documentation

Read the docs