Comprehensive Istio and Envoy lifecycle management including installation/upgrade, inventory, and health checks for greenfield and brownfield environments.

• Enhanced distributions of upstream open-source Istio and Envoy Proxy
  • Easy deployment, upgrade, and patching via Kubernetes tooling
  • ARM processor support
• Simplified, centralized Istio and Envoy management
  • Easy deployment via Kubernetes tooling
  • CI/CD and GitOps-friendly deployments via Custom Resource Definitions (CRDs)
  • Seamlessly and safely upgrade your environment with no-interruption upgrades and policy changes
  • Simple mapping between Gloo Mesh and generated Istio resources
• Production Support
  • N-4 version long term support (LTS)
  • N-4 version backporting of patches and security fixes
  • SLAs for vulnerability fixes in Istio across all supported versions

Discover, connect, secure, encrypt, observe and troubleshoot application traffic within clusters, across clusters, clouds and hybrid-cloud environments from a single management plane.

• Automated service discovery for applications/resources
  • Global portal with self-service API catalog and management
• Global traffic routing, load balancing, and locality-aware failover
  • Global service naming
  • Intelligent/context-aware routing to optimize
  • Federated cross-cluster policies, config, and awareness
• Multi-mesh observability with aggregated metrics
  • Seamless experience for managing from one cluster to many, consistently for East/West and North/South traffic
  • Interactive, centralized admin dashboard showing flow of traffic, latency and speed
  • Easy integration with Prometheus, Grafana, and other popular tools
  • Distributes data and metrics to each applicable cluster
• Works with all major environments
  • Hybrid workloads: cloud-native, VMs and legacy applications
  • AWS, Azure, Google, Red Hat, VMware, and on-premises

Create self-service ‘workspaces’ by delegating ownership of service mesh API access, configuration, and policy to different roles including developers, SREs, operations, and sys admins.

• Users can work within their own workspace domain
  • Teams can explicitly share services with other workspaces
  • Abstracts away the complexity of multi-cluster configuration
  • Browse a service catalog listing other teams’ shared services
  • Configure defaults and permissions for teams and users
• Enable agility without sacrificing control by delegating API access, configuration, and policy to different roles
  • Create team-centric operations consoles
  • Control access with role-based access control (RBAC)
  • Create team workspaces (workspaces-as-a-service)
• GitOps workflows and CI/CD integration
  • CRD driven and works flawlessly with existing GitOps processes
  • Tie-into your GitOps approval process, including rollback and delegation
  • Enhanced observability, distributed tracing, and debugging
• Self-service developer portal for publishing, sharing, and tracking APIs
  • Empower development teams to manage and share their APIs
  • Catalog, publish, and securely share APIs via a self-service portal
  • Communicatie authentication/authorization, usage plans and policies
  • CRD-driven, no database required
  • Track API usage for show-back and charge-back

Easily implement a Zero Trust security model across all your application traffic patterns — ingress (external client to the application), in-cluster (service-to-service), and egress (application to external client)

• Unified security controls for consistent organization-wide enforcement
  • Fine-grained point-to-point security
• Identity and access management for users, applications, and microservices
  • Extensible authentication and authorization
  • Plugins with OAuth, etc.
• Comprehensive security built-in
  • Encrypted communications with mutual transport-layer security (mTLS)
  • Certificate management and rotation for mTLS, encryption, and authentication
  • Web application firewall (WAF) based on ModSecurity
  • Data loss prevention (DLP) filters
  • FIPS 140-2 ready builds

Enable a new sidecar-less data plane for Istio, Ambient Service Mesh. Reduce costs, simplify operations, and improve application performance. Fully-compatible with existing Istio sidecar-proxy architecture.

• Zero-Trust Security for Layer 4 or Layer 7
  • mTLS, Identity, and Advanced Filters
• Flexible per-node Proxy (zTunnel) reduces overall costs by up to 90%
  • Reduces compute and memory cost per node
  • Simplifies Envoy Proxy deployments within the mesh
• Removing the sidecar proxy improves operations
  • Simplifies deployments and upgrades

Customize APIs with out-of-the-box extensions, create custom filters and protocol transformations or utilize pre-built integrations.

• Pre-built support for external authentication (OIDC/OAuth), API Key, LDAP, and OPA Auth
• Tailor pre-built filters for Web Application Firewall (WAF), Data Loss Prevention (DLP) and Request and Response Transition
• Integrated WebAssembly support enables customization of Envoy proxies with custom filters written in any language
  • Build custom filters using multiple languages
  • Dynamically update Envoy without restarts
  • Comprehensive process to build, push, share APIs with WebAssembly Hub
• Connect to legacy applications via SOAP/XSLT
  • Use XSLT (Extensible Stylesheet Language Transformations) to modernize SOAP/XML clients and endpoints
  • Utilizes high performance architecture with XSLT engine embedded into Envoy
• Easily Bootstrap VMs into your service mesh for legacy application support
• gRPC - Define, connect, and scale services across platforms
• Support for serverless functions
  • Integrate containerized applications and AWS Lambda