Traffic processing
With Gloo Gateway, you can configure the gateway listener along with custom Envoy filters to process the traffic that enters into and out of your environment. By mutating requests to and responses from your upstream services, you can decouple and scale your services more dynamically.
For an overview of gateway, virtual service, and upstream configurations, see Traffic management.
Types of request processing
Review the following types of request processing that you can do, and see the linked guides for more configuration details.
Transformations
Transformations can be applied to VirtualHosts, Routes, and WeightedDestinations parts of a Gloo Gateway Virtual Service custom resource. Example transformations include the following.
- Change the response status coming from an Upstream service.
- Add headers to the body of a request.
- Add custom attributes for your access logs.
For example steps, see the Transformation guides.
Direct response and redirects
Not all requests should be sent to an Upstream destination. Review the following situations in which you might use a direct response or redirect.
- You want to redirect the response to another website (Host Redirect) or to another Virtual Service in Gloo Gateway.
- You want to redirect clients that request the HTTP version of a service to the HTTPS version instead.
- You want to return a direct response from the Virtual Service to the client’s request, such as a
404 not found
error message.
Faults
Faults are a way to test the resilience of your services by injecting faults (errors and delays) into a percentage of your requests. Gloo Gateway can do this automatically by following this guide.
Timeouts and retries
Gloo Gateway will attempt to send requests to the proper Upstream, but there may be times when that Upstream service is unable to handle additional requests. The timeout
and retry
portions of the options
section for a route define how long to wait for a response from the Upstream service and what type of retry strategy should be used.
options:
timeout: '20s'
retries:
retryOn: 'connect-failure'
numRetries: 3
perTryTimeout: '5s'
More information about configuring the timeout and retry can be found in their respective guides.
Traffic shadowing
You can control the rollout of changes using canary releases or blue-green deployments with Upstream Groups. The downside to using either feature is that your are working with live traffic. Real clients are consuming the new version of your service, with potentially negative consequences. An alternative is to shadow the client traffic to your new release, while still processing the original request normally. Traffic shadowing makes a copy of an incoming request and sends it out-of-band to the new version of your service, without altering the original request.
Inheritance rules
In general, options that you set in a parent object are inherited by a child object. Then, the child has both its own options and those of its parent appended. If the option in the child and parent conflict, the child option takes precedence and overwrites the parent option. You can change this behavior by setting the inheritTransformation
option to false
in the children objects.
Examples of parent and child objects:
- VirtualHost parent object options append to children objects like Routes and WeightedDestinations
- Route parent object options append to children objects like WeightedDestinations
For examples of inherited options, see the following guides:
Filter flow
The order that Envoy applies filters to traffic impacts how you configure your Gloo Gateway resources. Review the following video and diagrams to understand the filter flow in Gloo Gateway.
For more information on configuring traffic filters, see the Transformation guides.
Video overview of the filter flow
Filter flow description
Review the following diagram of how Gloo Gateway filters traffic, depending on what you configure. Notes on the filter policies that you can configure:
- The filters are applied in the order that is shown in the diagram. For example, if you apply both CORS and DLP security filters, a request is processed for CORS first, and then DLP. You cannot change the order.
- If you add a policy at both the
VirtualService
andRoute
levels, theRoute
policy takes precedence.
- External auth: When you enable the external authorization and authentication service in Gloo Gateway Enterprise, you can secure access to your apps with authentication tools like OIDC, API keys, OAuth2, or OPA. External auth is used to organize the flow in this diagram so that you can quickly see how traffic can be manipulated before or after requiring the client to log in. For more information, see Authentication and authorization.
- Before or after external auth: You can configure several traffic filters either before, after, or both before and after a client request is authorized.
- JWT: You can verify a JSON web token (JWT) signature, check the claims, and add them to new headers. To set JWT before and/or after external auth, use the
JwtStaged
setting. For more information, see JWT and access control. - Transformation: Apply transformation templates to the header or body request. If the body is a JSON payload, you can also extract values from it. The
clearRouteCache
setting clears the route that was initially selected by the HTTP connection manager, with the final route selected when the request reaches the Router filter. To set transformations before and/or after external auth, use thestagedTransformation
setting. For more information, see Transformations. - Rate limiting: Rate limiting can take place before or after external auth. You can use the
SetStyle
API to build complex rules for rate limiting. For more information, see Rate limiting.
- JWT: You can verify a JSON web token (JWT) signature, check the claims, and add them to new headers. To set JWT before and/or after external auth, use the
- Filters only before external auth: Review the information about other filters that you can apply only before external auth.
- Fault: See the Faults guide.
- CORS: See the Cross-origin resources sharing security guide.
- DLP: See the Data loss prevention security guide.
- WAF: See the Web application firewall security guide.
- Sanitize
- Filters only after external auth: Review the information about other filters that you can apply only after external auth.
- RBAC: Note that the RBAC filter requires the
JwtStaged
filter. See the RBAC proto reference. - gRPC-web: See the gRPC web guide.
- CSRF: See the Cross-site request forgery security guide.
- RBAC: Note that the RBAC filter requires the
- Router: With the router filter, you can configure many different settings before the request reaches your upstream service, such as the following. For more information, see the route proto reference.
- Add or remove request headers
- Add or remove response headers
- Set upstream timeouts
- Rewrite prefixes
- Automatically rewrite hosts
- Rewrite with regular expressions (regex)
- Retry policies
- Detect outliers
- Shadow or mirror requests