About
Learn about the default Gloo Gateway external auth service.
API gateways act as a control point for the outside world to access the various application services that run in your environment, whether monoliths, microservices, or serverless functions. In microservices or hybrid application architecture, these workloads accept an increasingly large number of requests.
Requests can be anonymous or authenticated. You can use external authentication to establish and validate who the client is, which service the client is requesting, and what authorization the request has.
About the external auth service
Gloo Gateway includes a deployer that automatically creates the following services to support enterprise security use cases for your Gateways. This way, you do not have to set up and configure your own services in order to use enterprise external auth and rate limiting features of the GlooTrafficPolicy.
| Service | Name | Description |
|---|---|---|
| External authentication | ext-auth-service-<gateway-class-name> | Handle authentication for protected routes and destinations. |
| Rate limiting | rate-limiter-<gateway-class-name> | Set global rate limits for requests to your backend API services. |
RedisĀ®* 1 backing database | gloo-ext-cache-<gateway-class-name> | Provide separate database instances for storing the data for the ext-auth-service and rate-limiter. |
Shared Redis database
The Redis service stores critical operational data for both the external auth and rate limiter services as follows.
External Auth:
- API keys (plain text or hashed)
- Session data and cookies
- OIDC distributed claims
- Portal-generated API keys for end-user authentication
Rate Limiting:
- Unique request keys
- Rate limit counters and associated metadata
Setup modes
You can choose from two setup modes:
- Shared (default): All Gateways that share the same GatewayClass automatically use the same external auth, rate limiter, and Redis services.
- Dedicated (multi-tenant): Use separate GatewayClasses for each team. Then, each team’s Gateway has its own set of ext-auth, rate limiter, and Redis services.
Shared setup (default)
When you first install Gloo Gateway, the system does not immediately deploy the external auth service, rate limiter, or Redis. These services are only provisioned when you create the first Gateway for a GatewayClass. The Redis instance automatically gets created when either an external auth or rate limiting instance is created or enabled in the GatewayParameters.
All Gateways that share the same GatewayClass automatically use the same external auth, rate limiter, and Redis services. This shared deployment model optimizes resource usage while maintaining isolation between different GatewayClasses.
Example steps:
Review the default GatewayClasses.
kubectl get gatewayclassesExample output: Gloo Gateway provides two default GatewayClasses:
gloo-gateway-v2: Standard class for managing Gateway API ingress traffic.gloo-gateway-v2-waypoint: Specialized class for Istio ambient mesh waypoint proxies.
NAME CONTROLLER ACCEPTED AGE gloo-gateway-v2 solo.io/gloo-gateway-v2 True 4h41m gloo-gateway-v2-waypoint solo.io/gloo-gateway-v2 True 4h41mCreate a Gateway that references the default GatewayClass. For example, you might follow along with the Sample app guide to create an
httpGateway.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: http namespace: gloo-system labels: example: httpbin spec: gatewayClassName: gloo-gateway-v2 listeners: - protocol: HTTP port: 8080 name: http allowedRoutes: namespaces: from: All EOFReview the
ext-auth-service,rate-limiter, andgloo-ext-cachedeployments that the deployer automatically creates for you in thegloo-systemnamespace.kubectl get deployments -n gloo-systemExample output:
NAME READY UP-TO-DATE AVAILABLE AGE ext-auth-service-gloo-gateway-v2 1/1 1 1 7m46s gloo-gateway 1/1 1 1 4h45m http 1/1 1 1 7m46s rate-limiter-gloo-gateway-v2 1/1 1 1 7m46s gloo-ext-cache-gloo-gateway-v2 1/1 1 1 7m46sYou can optionally remove the resources that you set up as part of this guide. The external auth, rate limiter, and Redis services are automatically deleted when the Gateway is deleted.
kubectl delete Gateway http -n gloo-system
Dedicated setup (multi-tenant)
If you are using Gloo Gateway in a multi-tenant environment, you can create custom GatewayClasses based off the default GatewayClasses. Then, create a Gateway that refers to the GatewayClass. The deployer automatically creates a separate set of ext-auth, rate limiter, and Redis services in the namespace of the Gateway.
Get the default
gloo-gateway-v2GatewayClass that you can use as the basis for your custom GatewayClass.kubectl get gatewayclass gloo-gateway-v2 -o yamlExample output:
apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: creationTimestamp: "2025-07-28T16:23:10Z" generation: 1 name: gloo-gateway-v2 resourceVersion: "829" uid: 6070687f-c6b9-43d0-b466-4e108bbc6364 spec: controllerName: solo.io/gloo-gateway-v2 description: Standard class for managing Gateway API ingress traffic.Create a custom GatewayClass based on the default GatewayClass. Make sure to use the
solo.io/gloo-gateway-v2controller so that Gloo Gateway manages the Gateway automation for you.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: my-team-gatewayclass spec: controllerName: solo.io/gloo-gateway-v2 description: Custom GatewayClass for my team with isolated services EOFCreate a Gateway that references the custom GatewayClass.
kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-team-gateway namespace: default spec: gatewayClassName: my-team-gatewayclass listeners: - name: http port: 80 protocol: HTTP EOFReview the
ext-auth-service,rate-limiter, andgloo-ext-cachedeployments that the deployer automatically creates for you in thegloo-systemnamespace.kubectl get deployments -n gloo-systemExample output:
NAME READY UP-TO-DATE AVAILABLE AGE ext-auth-service-my-team-gatewayclass 1/1 1 1 7m46s gloo-gateway 1/1 1 1 4h45m http 1/1 1 1 7m46s rate-limiter-my-team-gatewayclass 1/1 1 1 7m46s gloo-ext-cache-my-team-gatewayclass 1/1 1 1 7m46sYou can optionally remove the resources that you set up as part of this guide. The external auth, rate limiter, and Redis services are automatically deleted when the Gateway is deleted.
kubectl delete Gateway my-team-gateway -n default kubectl delete GatewayClass my-team-gatewayclass
Manage the deployments
Manage the ext auth service, rate limiter, and Redis services that the deployer automatically creates for you.
Update resource requests and limits
The default deployments include reasonable resource allocations, as well as Prometheus metrics endpoints and health checks as described in the following table. If you notice performance issues with the external auth or rate limiter services, check the resource usage and adjust as necessary.
| Service | CPU/Memory Requests | CPU/Memory Limits | Default Metrics Port |
|---|---|---|---|
| ext-auth-service | 100m CPU, 128Mi memory | 500m CPU, 256Mi memory | 9091 |
| rate-limiter | 100m CPU, 128Mi memory | 500m CPU, 256Mi memory | 9091 |
| gloo-ext-cache | 256m CPU, 512Mi memory | Not specified, as the resources depend on your usage | N/A |
To change the defaults:
Create a GlooGatewayParameters with your resource requests and limits in the
sharedExtensionssection, such as the following example. For more information, see GlooGatewayParameters API docs.kubectl apply -f- <<EOF apiVersion: gloo.solo.io/v1alpha1 kind: GlooGatewayParameters metadata: name: my-gw-params namespace: gloo-system spec: kube: sharedExtensions: extauth: enabled: true resources: requests: cpu: 200m memory: 256Mi limits: cpu: 750m memory: 512Mi ratelimiter: enabled: true resources: requests: cpu: 200m memory: 256Mi limits: cpu: 750m memory: 512Mi glooExtCache: enabled: true resources: requests: cpu: 256m memory: 512Mi limits: cpu: 1000m memory: 2048Mi EOFUpdate the GatewayClass to use the new GlooGatewayParameters. The following example updates the default
gloo-gateway-v2GatewayClass.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: gloo-gateway-v2 spec: controllerName: solo.io/gloo-gateway-v2 description: Standard class for managing Gateway API ingress traffic. parametersRef: group: gloo.solo.io kind: GlooGatewayParameters name: my-gw-params namespace: gloo-system EOF
The deployer automatically updates the ext-auth-service, rate-limiter, and gloo-ext-cache deployments to use the new resource requests and limits.
Delete the deployments
The deployer will automatically delete the deployments when at least one of the following conditions is met:
- All the Gateways that reference the GatewayClass were deleted.
- The given extension is disabled by setting
spec.kube.sharedExtensions.<extension>.enabledto false in the GlooGatewayParameters. Use caution when disabling an extension as the deployment is deleted, even if a Gateway or GlooTrafficPolicy still uses it.
Disable the deployer
You can disable the deployer for either or both the external auth and rate limiter services. Then, the deployer no longer creates and manages the service for you. You might disable the deployer to prevent teams from deploying their own services automatically when creating a Gateway for a GatewayClass.
Create a GlooGatewayParameters that disables the external auth, rate limiter, or Redis services in the
sharedExtensionssection, such as the following example. For more information, see GlooGatewayParameters API docs.kubectl apply -f- <<EOF apiVersion: gloo.solo.io/v1alpha1 kind: GlooGatewayParameters metadata: name: disable-deployer-gw-params namespace: gloo-system spec: kube: sharedExtensions: extauth: enabled: false ratelimiter: enabled: false glooExtCache: enabled: false EOFUpdate the GatewayClass to use the new GlooGatewayParameters. The following example updates the default
gloo-gateway-v2GatewayClass.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: gloo-gateway-v2 spec: controllerName: solo.io/gloo-gateway-v2 description: Standard class for managing Gateway API ingress traffic. parametersRef: group: gloo.solo.io kind: GlooGatewayParameters name: disable-deployer-gw-params namespace: gloo-system EOFBecause the deployer no longer manages the deployments for you, manually delete any existing
ext-auth-service,rate-limiter, andgloo-ext-cachedeployments that used the GatewayClass.kubectl delete deployments -n gloo-system ext-auth-service-gloo-gateway-v2 kubectl delete deployments -n gloo-system rate-limiter-gloo-gateway-v2 kubectl delete deployments -n gloo-system gloo-ext-cache-gloo-gateway-v2
Set custom timeouts
By default, the external auth service has a timeout of 200ms. Some providers, such as Microsoft EntraID, can take longer to respond to extauth requests. You can increase the timout for your provider by using a GatewayExtension resource.
Follow one of the extauth guides, such as Basic auth, to set up authentication for the httpbin sample app.
Create a GatewayExtension resource with your custom timeout. In this example, you add a request timeout of 500ms to the
ext-auth-service-gloo-gateway-v2extauth service.kubectl apply -f- <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: GatewayExtension metadata: name: extauth-extension namespace: gloo-system spec: type: ExtAuth extAuth: grpcService: requestTimeout: 500ms backendRef: # The default extauth service deployed by Gloo Gateway name: ext-auth-service-gloo-gateway-v2 namespace: gloo-system port: 8083 EOFCreate a GlooTrafficPolicy that references your AuthConfig and the GatewayExtension resource that you created.
kubectl apply -f- <<EOF apiVersion: gloo.solo.io/v1alpha1 kind: GlooTrafficPolicy metadata: name: test-extauth-policy namespace: gloo-system spec: targetRefs: - name: http group: gateway.networking.k8s.io kind: Gateway glooExtAuth: extensionRef: name: extauth-extension namespace: gloo-system authConfigRef: name: basic-auth namespace: gloo-system EOFPort-forward the http Gateway on port 19000.
kubectl port-forward deployment/http -n gloo-system 19000Open the config dump and look for the
extauth_ee/gloo-system/extauth-extensionfilter. Verify that you see the timeout that you set.Example output:
{ "name": "extauth_ee/gloo-system/extauth-extension", "typed_config": { "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz", "grpc_service": { "envoy_grpc": { "cluster_name": "kube_gloo-system_ext-auth-service-gloo-gateway-v2_8083" }, "timeout": "0.500s" }, "status_on_error": { "code": "Forbidden" }, "filter_enabled_metadata": { "filter": "dev.kgateway.disable_ext_auth", "path": [ { "key": "disable" } ], "value": { "bool_match": true }, "invert": true } }, "disabled": true }
*Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by Solo.io, Inc. is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and Solo.io. ↩︎