Gloo Gateway overview

About Gloo Gateway link

Gloo Gateway is a feature-rich, fast, and flexible Kubernetes-native ingress controller and next-generation API gateway that is built on top of Envoy proxy. An API Gateway is a reverse proxy that serves as a security barrier between your clients and the microservices that make up your app. In order to access a microservice, all clients must send a request to the API Gateway. The API Gateway then verifies and routes the request to the microservice.

To let you set up and leverage advanced routing, traffic management, security, resiliency, and integration capabilities, you can choose to run a Gloo Gateway proxy with one of the following APIs: the Kubernetes Gateway API with custom Gloo Gateway extensions or the Gloo Edge API. The Gloo Gateway control plane can process custom resource requests from both APIs and translate these resources into valid Envoy configuration that the Envoy proxies can pick up and apply.

Because of that, Gloo Gateway gives you the flexibility to run both Kubernetes Gateway API and Gloo Edge API Envoy proxies in your environment at the same time so that you can customize your API gateway to the needs of your app and organization. Keep in mind that you can only have one installation of Gloo Gateway with the Kubernetes Gateway API at a time. Installing the product twice causes required Kubernetes resources that are cluster-scoped, such as GatewayClass, to fail. You can still create multiple Gateway resources to configure HTTP and HTTPS listeners on Gloo Gateway.

K8s Gateway API link

Gloo Gateway is fully conformant with the Kubernetes Gateway API and extends its functionality with Solo’s custom Gateway APIs, such as RouteOption, VirtualHostOption, Upstreams, RateLimitConfig, or AuthConfig. These resources help to centrally configure routing, security, and resiliency rules for a specific component, such as a host, route, or gateway listener.

The following image shows the extensions that Gloo Gateway provides on top of the Kubernetes Gateway API:

The capabilities that you can leverage in your API Gateway, such as applying the following features to a host or route, depend on the Gloo Gateway edition that you install:

• Open source (OSS):
  Set up an Envoy proxy that is based on the Kubernetes Gateway API and use Kubernetes Gateway API-native features and the following Gloo Gateway extensions to configure basic routing, security, and resiliency capabilities. Note that this list provides a general overview of major features, and is not exhaustive.

  • Access logging
  • Buffering
  • Cross-Origin Resource Sharing (CORS)
  • Cross-Site Request Forgery (CSRF)
  • Fault injection
  • Header control
  • Local rate limiting
  • Proxy protocol
  • Retries
  • Timeouts
  • Transformations
    
    

• Enterprise Edition:
  In addition to the basic features provided by the OSS edition, many more features are available in the Enterprise Edition. Note that this list provides a general overview of major features, and is not exhaustive.

  • AI Gateway
  • External authentication and authorization
  • External processing
  • Data loss prevention
  • JSON web token (JWT)
  • Global rate limiting
  • Portal
  • Response caching
  • Traffic tapping
  • Web Application Filters
    
    

  In addition, several features that were previously introduced in the Gloo Edge API were improved. Examples include the developer portal that now comes with more flexible APIs and built-in Backstage support, and an improved Istio integration that allows for easier injection of Istio sidecars.

  info

  To use these Enterprise-only Gloo Gateway API extensions, you must have a valid Enterprise license key. To get a license, contact an account representative.

Gloo Edge API link

Resource translation link

The following image shows how the Gloo Gateway components interact with the Kubernetes Gateway API to configure the Gloo Gateway Envoy proxy.

1. The config watcher component in the gloo pod watches the cluster for new Kubernetes Gateway API resources, such as gateways and HTTP routes.
2. When the config watcher detects new or updated Kubernetes Gateway API resources, it sends the Kubernetes configuration to the Gloo Gateway translation engine.
3. The translation engine translates Kubernetes Gateway API resources into Envoy configuration. All Envoy configuration is consolidated into an xDS snapshot.
4. The reporter receives a status report for every Kubernetes Gateway API resource that is processed by the translator.
5. The reporter writes the resource status back to the Kubernetes Gateway API.
6. The xDS snapshot is provided to the Gloo xDS server.
7. Proxies in the cluster pull the latest Envoy configuration from the Gloo xDS server.

Default gateway proxy setup link

Gloo Gateway automatically spins up, bootstraps, and manages gateway proxy deployments when you create a Kubernetes Gateway resource. To do that, a combination of Gloo Gateway and Kubernetes resources are used, such as GatewayClass, GatewayParameters, Settings, and a gateway proxy template that includes the Envoy configuration that each proxy is bootstrapped with.

To learn more about the default setup and how these resources interact with each other, see the Default gateway proxy setup.