‍The Challenge: Scaling Without Sacrificing Security

As Confluent’s services grew in number and geographical reach, managing east-west traffic securely became increasingly difficult. Each team had its own way of managing service-to-service (S2S) communication, and visibility into traffic flows was fragmented. Adding to the pressure: Confluent was expanding into FedRAMP-moderate regions, where FIPS-compliant encryption wasn’t optional—it was mandatory.

The team knew they needed to centralize enforcement of mTLS, gain real-time observability into encryption status, and provide internal teams with tools that wouldn’t get in the way of speed.

“We had grown past the point where scripts and tribal knowledge were enough,” said Taiheng. “We needed a mesh that could scale with us, and one that could keep up with the compliance bar.”

‍

The Solution: Enterprise-Grade Service Mesh

After evaluating options—including open-source Istio and AWS App Mesh—Confluent selected Solo.io’s Gloo Mesh for three core reasons:

- Enterprise-ready security: Gloo Mesh offered out-of-the-box FIPS-compliant builds critical for FedRAMP.

- Community leadership: Solo.io's deep involvement in the Istio project gave Confluent confidence in long-term viability.

- Operational maturity: Lifecycle Manager and built-in observability made it easy to manage dozens of clusters with consistency.

Initial setup was completed quickly, but integrating with Confluent’s internal SPIRE-based workload identity system posed unique challenges. Solo.io’s support team stepped in, helping troubleshoot tricky edge cases and contributing upstream fixes to unblock production rollout. "We got off to a very fast start," said Taiheng, "and when we ran into the harder challenges, Solo.io helped us get through."

Over the next year, the team gradually rolled out Gloo Mesh to more than 100 services across multiple environments, starting in permissive mode and slowly moving to strict mTLS. The rollout wasn’t rushed. Getting it right mattered more than getting it done fast.

‍

The Value for Confluent

Today, every mesh-enabled service at Confluent enforces mTLS by default. Dashboards give teams instant visibility into encryption gaps, allowing them to catch and fix misconfigurations before they become risks. Most importantly, Confluent now has a repeatable, scalable security model that satisfies compliance requirements without slowing down innovation.

Key outcomes include:

- 100% mTLS coverage across all mesh-enabled clusters.

- FIPS-compliant builds that support FedRAMP deployments.

- Real-time encryption visibility, improving internal trust and incident response.

- Standardized rollout patterns, paving the way for progressive delivery.

Next, the platform engineering team is investing heavily in release canaries, testing canaries, and event-based canaries, laying the foundation for safer, faster progressive delivery. The team is also exploring Ambient Mesh as a way to cut sidecar overhead and further reduce complexity in the data plane.

‍

A Platform Built for Progress

For Confluent, Gloo Mesh is a key tool for managing services more effectively. With improved security, observability, and automation, Confluent’s engineers can focus less on infrastructure and more on delivering value to customers.

“We’re here to give engineers the confidence to move fast, safely. Gloo Mesh helped us get there,” said Taiheng.

As Confluent continues to grow and evolve, they do so with a cloud-native backbone built for scale, security, and developer delight, proving that the best infrastructure is the kind you can trust to just work.

‍