The Advantages of Cilium-based CNI for Networking
Gloo Network enables Enterprise Cilium-based CNI for Kubernetes and Istio Service Mesh environments. Cilium is an open source software for providing, securing and observing network connectivity between container workloads – cloud native, and fueled by the revolutionary Kernel technology eBPF.
Gloo Network can be deployed separately as a Kubernetes CNI, with Enterprise support. It can also be deployed to compliment Gloo Mesh, providing enhanced network filtering and observability. Gloo Mesh also extends multi-tenancy to Gloo Network through Gloo Mesh Workspaces.
Cilium Networking in Gloo Network and Gloo Mesh
Gloo Network provides a powerful Cilium CNI (based on eBPF technology) for Kubernetes clusters. This enables companies to leverage powerful network filtering and observability either at the Kubernetes layer, or as part of a broader service mesh, application networking architecture.
Integrated Application Networking throughout the entire stack.
The overall Gloo Platform provides a pluggable batteries-included-but-swappable architecture. This allows companies to deploy Gloo Network as a standalone CNI, or to integrate it with the Istio service mesh in Gloo Mesh.
The next generation of cloud-native Application Networking
With the additional of Gloo Network, the Gloo Platform now provides Istio, Envoy Proxy, Cilium, eBPF and Kubernetes CNI in one integrated platform. These technologies make up the next generation of cloud-native application networking.
These integrated technologies provide high-performance networking, zero-trust security, advanced observability for microservice applications, and multi-tenancy isolation of critical workloads.
Pluggable CNI (container native interface) architecture
Gloo Network enables Enterprise support for Cilium CNI, as well as integration into Kubernetes platforms. The pluggable architecture of Gloo Platform allows companies to begin with Gloo Network as a CNI, or integrate it with the other elements of Gloo Platform, such as Gloo Mesh and Gloo Gateway. This powerful architecture allows a company to start small, and be future-proofed as their cloud-native journey evolves and grows.
![]() Cilium |
|
---|
Secure

Transport layer security (TLS and mTLS)Provides end-to-end encryption to protect data in motion between end points
|
|||
Secrets (with Kubernetes and HashiCorp Vault)PrManages sensitive credentials like passwords, tokens, and keys
|
|||
Access logging (with redaction) & usage statsProvides complete observability and auditability of all activity across the system
|
|||
Built-in web application firewall (WAF)Open source ModSecurity screens traffic for threats and stops attacks
|
|||
Data loss prevention (DLP)Monitors for data breaches or exfiltration to prevent data loss and data leaks
|
|||
Extensible authenticationIntegrates with API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
|
|||
Federated role-based access controlGrants permissions to users appropriate to their responsibility and applies them consistently everywhere
|
|||
Open Policy Agent (OPA) for authorizationDefines service API policies as code
|
|||
Vulnerability scanning and publicationsFinds, addresses, and alerts on weaknesses in the system
|
Reliable

Dynamic routing for HTTP, TCP, gRPCDirects inbound (ingress) and outbound (egress) connections for layer 4 (TCP) and layer 7 (HTTP/S) traffic
|
|||
QuotasSet limits on application traffic to meet desired workloads
|
|||
Health checksConfirm that the system is operating as expected
|
|||
Retries, circuit breaker, timeoutsHandle exceptions and issues in connections gracefully
|
|||
Advanced rate limiting (metrics, server config, rate limit config)Define custom policies to handle more complex situations
|
|||
Configuration validationMakes sure that the system is deployed and defined correctly
|
|||
Service level agreements (SLAs)Provide assurance that issues are responded to in a timely manner
|
|||
Global failover and routingRedirects application traffic to other resources in the event of an outage
|
Unified

Cross-origin resource sharing (CORS)Set policies for and pre-verifies which origins are allowed to connect to specified resources
|
|||
Prometheus integrationCollects system metrics for observability to monitor and troubleshoot, and auditing for investigation
|
|||
Grafana integrationDisplays system metrics in user-friendly graphs and enables building custom dashboards
|
|||
Automatic service discoveryFinds and defines upstream resources (applications/microservices) that can be targets for connections
|
|||
Admin dashboard GUI with multi-cluster viewsGives centralized observability and control of the whole system
|
|||
Gloo Developer Portal (API mgmt)Enables publishing, sharing, GitOps calling, and monetization of defined APIs
|
|||
GraphQL embeddedRun and query GraphQL servers on Gloo Edge
|
Easy

Simplified APIMakes it easier to configure and use Envoy Proxy
|
|||
Long-term version supportCovers releases of Envoy for at least a year so you can upgrade on your schedule
|
|||
N-3 version patching and back-portingFixes bugs and security issues in current and three previous releases of Envoy
|
|||
Expert help on SlackFor fast response to all your questions by an active public community and Solo engineers worldwide
|
|||
Enterprise supportHelps quickly resolve issues in production environments via Slack, email, and phone
|
|||
Automated, federated traffic mgmt policy configurationDefines and enforces application connection behavior consistently everywhere
|
|||
Automated reconcile of policy changesVerifies and applies new configurations and policies
|
Comprehensive

Your choice of cloud and on-premises environmentsLets you run consistently anywhere you choose to operate your applications
|
|||
Serverless functions integrationEnables connections to AWS Lambda alongside containers and other upstream resources
|
|||
Virtual machines (VMs) supportEasy bootstrapping of VMs to connect with containers and serverless upstream resources
|
|||
Shape, shift, and transform trafficTo define exactly how you want requests to be processed and presented, and connect to diverse protocols
|
|||
Federated multi-cluster operations and policiesManage and observe across clusters and even hybrid and multi-cloud deployments
|
|||
Simple object access protocol (SOAP) transformsTie in XML messaging protocols for legacy applications
|
|||
A/B testing with Flagger integrationsCustomize how you test application updates as canaries with a specified slice of inbound connections
|
Limited
|
||
WebAssembly (Wasm)Provides the ability to define extensible custom filters for security and control
|
Modern & Open

Kubernetes-nativeDesigned to operate naturally with K8s containers making it pluggable and leveraging custom resources (CRDs)
|
|||
Schema in Gloo Edge CRDsEnable the use of schemas to validate CRD functions, required with Kubernetes 1.22 and newer
|
|||
Helm usability improvementsDefine your applications and configuration, including node affinity with the desired resource characteristics
|
|||
Envoy Proxy-basedEnhances the popular open source project as a solid foundation for future-proof innovation
|
|||
Upstream GraphQLEmbeds GraphQL querying into Gloo Edge
|