Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER
gloo network

Enterprise Cilium CNI networking for Kubernetes and Istio Service Mesh

Gloo Network enables robust eBPF networking, packet filtering and observability.

  • Network - Home page with Cilium details (1)
  • Network - Policies enforced by Cilium (1)
  • Network - Policy details enforced by Cilium (1)
  • Network - Debug (1)

ANNOUNCEMENT
Gloo GraphQL (beta) enables you to query your APIs via Envoy Proxy
ANNOUNCEMENT
Gloo Edge 1.10 brings an enhanced AWS Lambda, plus better security, reliability, and ease-of-use
ANNOUNCEMENT
Block Log4Shell attacks with Gloo Edge

The Advantages of Cilium-based CNI for Networking

Gloo Network enables Enterprise Cilium-based CNI for Kubernetes and Istio Service Mesh environments. Cilium is an open source software for providing, securing and observing network connectivity between container workloads – cloud native, and fueled by the revolutionary Kernel technology eBPF.

Gloo Network can be deployed separately as a Kubernetes CNI, with Enterprise support. It can also be deployed to compliment Gloo Mesh, providing enhanced network filtering and observability. Gloo Mesh also extends multi-tenancy to Gloo Network through Gloo Mesh Workspaces.

Cilium Networking in Gloo Network and Gloo Mesh

Gloo Network provides a powerful Cilium CNI (based on eBPF technology) for Kubernetes clusters. This enables companies to leverage powerful network filtering and observability either at the Kubernetes layer, or as part of a broader service mesh, application networking architecture.

Integrated Application Networking throughout the entire stack.

The overall Gloo Platform provides a pluggable batteries-included-but-swappable architecture. This allows companies to deploy Gloo Network as a standalone CNI, or to integrate it with the Istio service mesh in Gloo Mesh.

Gloo Network and Cilium

The next generation of cloud-native Application Networking

With the additional of Gloo Network, the Gloo Platform now provides Istio, Envoy Proxy, Cilium, eBPF and Kubernetes CNI in one integrated platform. These technologies make up the next generation of cloud-native application networking.

These integrated technologies provide high-performance networking, zero-trust security, advanced observability for microservice applications, and multi-tenancy isolation of critical workloads.

Pluggable CNI (container native interface) architecture

Gloo Network enables Enterprise support for Cilium CNI, as well as integration into Kubernetes platforms. The pluggable architecture of Gloo Platform allows companies to begin with Gloo Network as a CNI, or integrate it with the other elements of Gloo Platform, such as Gloo Mesh and Gloo Gateway. This powerful architecture allows a company to start small, and be future-proofed as their cloud-native journey evolves and grows.

Feature Comparisons

Compare Gloo Network and open source Cilium CNI

>

Gloo Edge Enterprise

REQUEST TRIAL

Cilium

Transport layer security (TLS and mTLS)
Provides end-to-end encryption to protect data in motion between end points
Secrets (with Kubernetes and HashiCorp Vault)
PrManages sensitive credentials like passwords, tokens, and keys
Access logging (with redaction) & usage stats
Provides complete observability and auditability of all activity across the system
Built-in web application firewall (WAF)
Open source ModSecurity screens traffic for threats and stops attacks
Data loss prevention (DLP)
Monitors for data breaches or exfiltration to prevent data loss and data leaks
Extensible authentication
Integrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
Federated role-based access control
Grants permissions to users appropriate to their responsibility and applies them consistently everywhere
Open Policy Agent (OPA) for authorization
Defines service API policies as code
Vulnerability scanning and publications
Finds, addresses, and alerts on weaknesses in the system
Dynamic routing for HTTP, TCP, gRPC
Directs inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
Quotas
Set limits on application traffic to meet desired workloads
Health checks
Confirm that the system is operating as expected
Retries, circuit breaker, timeouts
Handle exceptions and issues in connections gracefully
Advanced rate limiting (metrics, server config, rate limit config)
Define custom policies to handle more complex situations
Configuration validation
Makes sure that the system is deployed and defined correctly
Service level agreements (SLAs)
Provide assurance that issues are responded to in a timely manner
Global failover and routing
Redirects application traffic to other resources in the event of an outage
Cross-origin resource sharing (CORS)
Set policies for and pre-verifies which origins are allowed to connect to specified resources
Prometheus integration
Collects system metrics for observability to monitor and troubleshoot, and auditing for investigation
Grafana integration
Displays system metrics in user-friendly graphs and enables building custom dashboards
Automatic service discovery
Finds and defines upstream resources (applications/microservices) that can be targets for connections
Admin dashboard GUI with multi-cluster views
Gives centralized observability and control of the whole system
Gloo Developer Portal (API mgmt)
Enables publishing, sharing, GitOps calling, and monetization of defined APIs
GraphQL embedded
Run and query GraphQL servers on Gloo Edge
Simplified API
Makes it easier to configure and use Envoy Proxy
Long-term version support
Covers releases of Envoy for at least a year so you can upgrade on your schedule
N-3 version patching and back-porting
Fixes bugs and security issues in current and three previous releases of Envoy
Expert help on Slack
For fast response to all your questions by an active public community and Solo engineers worldwide
Enterprise support
Helps quickly resolve issues in production environments via Slack, email, and phone
Automated, federated traffic mgmt policy configuration
Defines and enforces application connection behavior consistently everywhere
Automated reconcile of policy changes
Verifies and applies new configurations and policies
Your choice of cloud and on-premises environments
Lets you run consistently anywhere you choose to operate your applications
Serverless functions integration
Enables connections to AWS Lambda alongside containers and other upstream resources
Virtual machines (VMs) support
Easy bootstrapping of VMs to connect with containers and serverless upstream resources
Shape, shift, and transform traffic
To define exactly how you want requests to be processed and presented, and connect to diverse protocols
Federated multi-cluster operations and policies
Manage and observe across clusters and even hybrid and multi-cloud deployments
Simple object access protocol (SOAP) transforms
Tie in XML messaging protocols for legacy applications
A/B testing with Flagger integrations
Customize how you test application updates as canaries with a specified slice of inbound connections
Limited
WebAssembly (Wasm)
Provides the ability to define extensible custom filters for security and control
Kubernetes-native
Designed to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
Schema in Gloo Edge CRDs
Enable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
Helm usability improvements
Define your applications and configuration, including node affinity with the desired resource characteristics
Envoy Proxy-based
Enhances the popular open source project as a solid foundation for future-proof innovation
Upstream GraphQL
Embeds GraphQL querying into Gloo Edge

Use Cases