Gloo Platform products
With Gloo Platform, you get a suite of tools to consistently and securely manage your L3-L7 network application traffic. Gloo consists of an installable set of platform management tools that you install in a Kubernetes-based cluster via the Gloo CLI (
meshctl) or Helm. Then, you unlock various network management capabilities with product or module licenses, as shown in the following figure.
Shared platform management
When you install Gloo in your cluster, you get several components to provide custom resources, observability, and management capabilities for the product licenses that you have. These components run in your cluster even if you do not add a product license, in which case the components do not report back any data until you start using a product.
You can also choose to install several optional components to extend functionality, such as rate limiting and external authentication servers. Finally, you can use Gloo Platform to manage open source components for your gateway and service mesh, such as Istiod.
For more information about these components, see Platform architecture.
Licensed productsProduct licenses unlock certain capabilities in Gloo Platform.
|Gloo Mesh Gateway is an API gateway based on Envoy and Istio open source technologies. A gateway license unlocks custom resources such as virtual gateways, route tables, and policies so that you can control network traffic into (ingress) and out from (egress) your clusters. You get traffic manipulation features, such as Envoy filters for resilience and transformation. You can also secure ingress traffic with security filters such as web application firewall (WAF), external auth, and rate limiting. You can enhance your API gateway with additional modules, such as GraphQL, support for routing to AWS Lambdas, and a developer portal. Keep in mind that for internal service mesh traffic management, you need a Gloo Mesh Enterprise license alongside Gloo Mesh Gateway. For example, without a mesh license, you cannot use workload selectors on route tables; route tables without a virtual gateway; or access, access log, failover, or WebAssembly (Wasm) policies.
|Istio, eBPF, Cilium
|Gloo Mesh manages Istio-based service meshes across clusters and infrastructure providers, and secures communication between workloads via mTLS. A mesh license unlocks hardened, FIPS-compliant Istio images with
n-4 version support. You get a simplified management experience for multitenancy, service isolation, federation, and east-west traffic management. Gloo Mesh even automatically discovers your Istio resources and translates them into the appropriate Gloo custom resources so that intelligent, multicluster failover works out of the box. You also get Gloo custom resources to manage internal mesh routing, including virtual gateways, route tables, and policies such as external auth and rate limiting. Keep in mind that for advanced ingress routing features, you need a Gloo Mesh Gateway license alongside Gloo Mesh Enterprise. For example, without a gateway license, you cannot use cloud resources or AWS Lambda; advanced listener configuration such as TLS for ingress routes; add-ons such as external auth, rate limiting, or the developer portal for non-mesh ingress use cases; or policies that apply to ingress routes such as Web Application Firewall (WAF).Gloo Mesh also includes support for Solo distributions of Cilium. You can deploy the Cilium CNI to your clusters and use Cilium network policies to allow or drop packages between apps on layer 3 and 4 of the OSI Networking model. Cilium is an open source technology and a highly scalable Kubernetes Container Network Interface (CNI) that provides cloud-native networking connectivity, security, and observability for container-based workloads, such as in Kubernetes and Docker. To provide advanced networking and security controls, Cilium leverages the Linux kernel technology eBPF, and you can even reuse the same access policies for both L3/L4 and L7 access control.
Licensed modulesYou can extend the capabilities of Gloo products with modules. Modules are typically bundled together in the same license as the product license.
|GraphQL is a server-side query language and runtime you can use to expose your APIs as an alternative to REST APIs. GraphQL allows you to request only the data you want and handle any subsequent requests on the server side, saving numerous expensive origin-to-client requests by instead handling requests in your internal network. By building GraphQL capabilties into the Gloo ingress or east-west gateways, Gloo extends GraphQL with route-level networking logic. For example, the gateway might rate limit, authorize, and authenticate requests. To set up GraphQL in your Gloo environment, check out the GraphQL guides in the Gloo Mesh Gateway documentation.