Unlocking the Power of Your API Gateway


Enterprise Istio with multi-tenancy, observability, and federated management

Gloo Mesh Enterprise delivers connectivity, security, observability, and reliability for Kubernetes, VMs, and microservices spanning single cluster to multi-cluster, hybrid environments, plus production support for Istio.

Request a Demo

  • Mesh Workspace Details
  • Mesh Graph
  • Mesh Policies
  • Mesh Policy Details
  • Mesh Debug

Gloo Mesh 2.0 brings an enhanced UI, API, workspaces, and much more
Take closer look at the new API in Gloo Mesh 2.0
Explore workspaces and multi-tenancy in Gloo Mesh 2.0
Gloo Mesh 2.0 Demo Tile
See a recorded demo of Gloo Mesh 2.0

How Gloo Mesh helps you

Gloo Mesh is an Istio-based service mesh and control plane that simplifies and unifies the configuration, operation and visibility of the service-to-service connectivity within distributed applications.

Comprehensive Istio and Envoy lifecycle management including installation/upgrade, inventory, and health checks for greenfield and brownfield environments.

  • Enhanced distributions of upstream open-source Istio and Envoy Proxy
    • Easy deployment, upgrade, and patching via Kubernetes tooling
    • ARM processor support
  • Simplified, centralized Istio and Envoy management
    • Easy deployment via Kubernetes tooling
    • CI/CD and GitOps-friendly deployments via Custom Resource Definitions (CRDs)
    • Seamlessly and safely upgrade your environment with no-interruption upgrades and policy changes
    • Simple mapping between Gloo Mesh and generated Istio resources
  • Production Support
    • N-4 version long term support (LTS)
    • N-4 version backporting of patches and security fixes
    • SLAs for vulnerability fixes in Istio across all supported versions

Discover, connect, secure, encrypt, observe and troubleshoot application traffic within clusters, across clusters, clouds and hybrid-cloud environments from a single management plane.

  • Automated service discovery for applications/resources
    • Global portal with self-service API catalog and management
  • Global traffic routing, load balancing, and locality-aware failover
    • Global service naming
    • Intelligent/context-aware routing to optimize
    • Federated cross-cluster policies, config, and awareness
  • Multi-mesh observability with aggregated metrics
    • Seamless experience for managing from one cluster to many, consistently for East/West and North/South traffic
    • Interactive, centralized admin dashboard showing flow of traffic, latency and speed
    • Easy integration with Prometheus, Grafana, and other popular tools
    • Distributes data and metrics to each applicable cluster
  • Works with all major environments
    • Hybrid workloads: cloud-native, VMs and legacy applications
    • AWS, Azure, Google, Red Hat, VMware, and on-premises

Create self-service ‘workspaces’ by delegating ownership of service mesh API access, configuration, and policy to different roles including developers, SREs, operations, and sys admins.

  • Users can work within their own workspace domain
    • Teams can explicitly share services with other workspaces
    • Abstracts away the complexity of multi-cluster configuration
    • Browse a service catalog listing other teams’ shared services
    • Configure defaults and permissions for teams and users
  • Enable agility without sacrificing control by delegating API access, configuration, and policy to different roles
    • Create team-centric operations consoles
    • Control access with role-based access control (RBAC)
    • Create team workspaces (workspaces-as-a-service)
  • GitOps workflows and CI/CD integration
    • CRD driven and works flawlessly with existing GitOps processes
    • Tie-into your GitOps approval process, including rollback and delegation
    • Enhanced observability, distributed tracing, and debugging
  • Self-service developer portal for publishing, sharing, and tracking APIs
    • Empower development teams to manage and share their APIs
    • Catalog, publish, and securely share APIs via a self-service portal
    • Communicatie authentication/authorization, usage plans and policies
    • CRD-driven, no database required
    • Track API usage for show-back and charge-back
Multi Tenancy

Easily implement a Zero Trust security model across all your application traffic patterns — ingress (external client to the application), in-cluster (service-to-service), and egress (application to external client)

  • Unified security controls for consistent organization-wide enforcement
    • Fine-grained point-to-point security
  • Identity and access management for users, applications, and microservices
    • Extensible authentication and authorization
    • Plugins with OAuth, etc.
  • Comprehensive security built-in
    • Encrypted communications with mutual transport-layer security (mTLS)
    • Certificate management and rotation for mTLS, encryption, and authentication
    • Web application firewall (WAF) based on ModSecurity
    • Data loss prevention (DLP) filters
    • FIPS 140-2 ready builds

Enable a new sidecar-less data plane for Istio, Ambient Service Mesh. Reduce costs, simplify operations, and improve application performance. Fully-compatible with existing Istio sidecar-proxy architecture.

  • Zero-Trust Security for Layer 4 or Layer 7
    • mTLS, Identity, and Advanced Filters
  • Flexible per-node Proxy (zTunnel) reduces overall costs by up to 90%
    • Reduces compute and memory cost per node
    • Simplifies Envoy Proxy deployments within the mesh
  • Removing the sidecar proxy improves operations
    • Simplifies deployments and upgrades

Customize APIs with out-of-the-box extensions, create custom filters and protocol transformations or utilize pre-built integrations.

  • Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
  • Tailor pre-built filters for Web Application Firewall (WAF), Data Loss Prevention (DLP) and Request and Response Transition
  • Integrated WebAssembly support enables customization of Envoy proxies with custom filters written in any language
    • Build custom filters using multiple languages
    • Dynamically update Envoy without restarts
    • Comprehensive process to build, push, share APIs with WebAssembly Hub
  • Connect to legacy applications via SOAP/XSLT
    • Use XSLT (Extensible Stylesheet Language Transformations) to modernize SOAP/XML clients and endpoints
    • Utilizes high performance architecture with XSLT engine embedded into Envoy
  • Easily Bootstrap VMs into your service mesh for legacy application support
  • gRPC - Define, connect, and scale services across platforms
  • Support for serverless functions
    • Integrate containerized applications and AWS Lambda
Extensibility Graphic Opts

How It Works

Gloo Mesh manages your service mesh, including API gateways for Ingress and the application edge.

Istio-based north-south API gateway to govern and manage requests for services
  • Certificate management and rotation
  • Integrate with Identity & Access Management systems to leverage existing security policies
  • Enforce authentication, authorization, and encryption including mTLS
  • Manage request routing, rate-limiting, load balancing, circuit breaking and failover traffic based on locality and affinity rules
  • Protect against attacks with a built-in web application firewall (WAF)
  • Guard against sensitive info breaches with data loss prevention (DLP)
  • Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
  • Transformations filter / SOAP
Manage cluster ingress (and egress) for Kubernetes clusters, VMs, and legacy applications:
  • FIPS-ready Istio-based service mesh
  • Automated service and API discovery
  • Enforce zero-trust security with authentication, authorization, and encryption
  • Apply custom policies to route, filter, and transform L4 and L7 traffic
  • Manage retries, timeouts, and circuit breakers
  • Load balance and failover traffic based on locality and affinity rules
  • Guard against sensitive info breaches with data loss prevention
  • Collect metrics for observability, troubleshooting, and auditing with Prometheus and Grafana
Gloo Mesh integrates with GraphQL to enable a secure and scalable approach to querying your APIs directly in your service mesh. Key capabilities include:
  • A unified endpoint to query all your services and data
  • A complete description of the data in an API
  • No need to build separate GraphQL servers or manage libraries
  • Use GraphQL with Gloo Portal for GitOps and CI/CD
Extend and customize your API infrastructure with tooling for WebAssembly, plugins, and operators
  • Delegate authentication using OpenID Connect
  • Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
  • Extend Envoy Proxy capabilities with pre-built extensions including:
    • Web Application Firewall (WAF)
    • Data Lost Prevention (DLP)
    • AWS Lambda
    • Request and Response Transition
    • SOAP
  • Create custom Envoy Proxy filters with Web Assembly (Wasm)
Catalog, publish, and securely share APIs via a self-service portal
  • CRD driven and works flawlessly with existing GitOps and CI/CD processes
  • Accelerate developer onboarding with self-service documentation, and self-service sign up
  • Manage gRPC APIs and REST APIs in the same developer portal
  • Upload existing OpenAPI and proto documents to build the catalog
  • Communicatie authentication/authorization, usage plans and policies
  • Showback, chargeback, and usage tracking of APIs
  • Supports REST and gRPC APIs
  • No database required
Gloo Mesh provides a Kubernetes-native management plane, an enhanced Istio distribution, and enhancements to Envoy Proxy delivering API gateway and service mesh capabilities.

Key Capabilities Include:
  • Istio Lifecycle Management
  • Security
  • Traffic Management
  • Global Routing & Failover
  • Policy Management
  • Global Service Discovery
  • Multi-tenancy & RBAC
  • Extensibility
  • Multi-cluster Observability
  • Multi-cluster Operations

Feature Comparisons

Compare Gloo Mesh editions and basic open source Istio.


Gloo Mesh Enterprise


Gloo Mesh Open Source


Basic Open Source Istio

TLS/mTLS encryption
Provides end-to-end encryption to protect data in motion between end points
Multi-tenancy and isolation
Lets service meshes share resources securely
Federated trust domains
Safely authenticate users and applications across environments
Federated role-based access control and delegation
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Safe handling of signing cert and Root rotation
Manage and execute SSL certificates from a centralized platform
Multi-cluster observability metrics/graph
Provides complete observability and auditability of all activity across the system
FIPS (140-2) compliant
Validated to meet strict security standards
Secure configuration model for cluster relay
Safely shares configurations across the system
Secrets integration (with Kubernetes & HashiCorp Vault)
Manages sensitive credentials like passwords, tokens, and keys
OIDC/Oauth 2.0 flows
Manages authentication of users and applicationsManages authentication of users and applications
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
External Authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Multi-cluster dynamic routing
Steers connections on-the-fly to available resources across clusters as needed
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Priority failover routing
Defines in which order alternate resources should receive re-directed traffic in the event of a service outage
No-interruption updates
Rolls out new configurations and policies without requiring restarts or pausing operations
Published SLAs
Provide assurance that issues are responded to in a timely manner
Dynamic scaling to thousands of nodes
Robustly manages regular and unexpected variations and spikes in workloads
Simplified Global-Service Naming
Use consistent naming across all clusters
Health checks
Confirm that the system is operating as expected
Advanced rate limiting
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Distributed tracing (integration with Jaeger)
Facilitates root cause analysis of issues across the system
Multi-cluster security policies
Implement consistently across all environments to avoid exposure or risk of errors
Multi-version compatibility
Enables running different versions of Istio together so you can upgrade at will
Multi-mesh support
Gives you the ability to operate and manage heterogeneous multiple service meshes together
Multi-cluster observability (including Prometheus and Grafana)
Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation
Displays system metrics in user-friendly graphs and enables building custom dashboards
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Global service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
Workspace for multi-tenancy
Users can work within their own workspace domain
Simplified API
Makes it easier to configure and use Istio and Envoy Proxy
Long-term version support
Covers releases of Istio and Envoy for at least a year so you can upgrade on your schedule
N-4 version patching & back-porting
Fixes bugs and security issues in current and four previous releases of Istio and Envoy
Expert help on Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Federated multi-cluster operations & policies
Manage, push configurations, and observe across clusters and even hybrid and multi-cloud deployments
Istio lifecycle management
Automated deployment, patching, and upgrades
Global service routing
Directs application connections across any environment for choice and reliability
Locality-aware load balancing
Manages routing of workloads across distributed resources to achieve best performance and results
Support for ARM processors
Operates efficiently on high performance processors for compute
Virtual machines (VMs) support
Easy bootstrapping of VMs to connect with containers and serverless upstream resources
Your choice of cloud & on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Shape, shift, & transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
Manage applications and operations on-demand
Upstream Istio
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream Envoy Proxy (managed by Istio)
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream GraphQL
Embeds GraphQL querying into Gloo Mesh
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Hybrid and multi-cloud support
Manage services running anywhere
Multi-cluster WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control
Gloo Portal is now included with Gloo Mesh Enterprise

Gloo Mesh Enterprise now includes a multi-cluster, Istio-based developer portal

Gloo Mesh Gateway is now available with Gloo Mesh Enterprise

Gloo Mesh Gateway is an Istio-based API gateway to manage North-South traffic

Gloo GraphQL (coming soon) for Gloo Mesh Enterprise

Query GraphQL APIs using your Gloo Mesh service mesh

Use Cases

Apimgmt Use Case Tn@

Istio service mesh management

Reduce Istio complexity while increasing security, reliability, and observability

Zero Trust Use Case Tn@

Zero trust security

Add comprehensive security controls to your service mesh