Gloo Gateway supports a variety of policies to ensure network resiliency, traffic control, security, and observability for the microservices in your cluster. Flip through the cards to learn about what policies are supported, why you want to use them, and what Gloo resource the policy can be applied to. To see an example policy setup, simply follow the links.
Test the resilience of your apps by injecting delays and connection failures. With fault injections, you intentionally introduce errors, such as a failure of an upstream dependency to see how your app behaves and if it can recover from such an event.
Improve network performance by caching GraphQL queries. The query string and the query's SHA-256 hash that are cached on the GraphQL server side, so that clients can send the query hash instead of the larger query string.
Configure Gloo to remove unhealthy destinations from the connection pool, and add the destinations back when they become healthy again. An outlier can be any upstream app instance that is performing differently than other instances that back the Kubernetes service, Gloo virtual destination, or external service. For example, if an app instance responds with a 5xx HTTP error code most of the time, it is excluded from the Gloo load balancing.
Use retry settings to specify the maximum number of times the gateway proxy can attempt to call a service in the cluster after the initial call failed.
Change the default connection buffer limit that is set for each gateway listener to ensure large requests can be properly sent and received by the gateway.
Duplicate outgoing traffic to test a new app. Mirroring, also referred to as shadowing, can be very useful if you want to send live traffic to a different version of your app to verify the app's behavior or set up canary testing.
Control the rate of requests to a destination or route. With rate limits, you can specify how many requests you want to allow to be passed to a particular service in a certain timeframe. For example, you might want to limit your service to receive only one request per second.
Alter a request before matching and routing, such as with an Inja header template. For example, you might want to add or remove certain headers from the request or response that is routed in your cluster.
Enforce client-site access controls with cross-origin resource sharing (CORS). CORS is a browser mechanism that allows a client web app to access resources that are located outside of a specific domain.
Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks. A cross-site request forgery attack is a web security vulnerability where the attacker induces an authenticated user to perform an unwanted action on a trusted site.
Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication.
Prevent malicious requests to your GraphQL servers by specifying allowed queries. The GraphQL server returns an error for queries with hashes that are not in the list of allowed hashes.
Enable TLS origination on your ingress gateway so that you can accept incoming HTTP requests, encrypt them, and forward the requests to services that only accept HTTPS connections.
Use a failover policy to determine where to reroute traffic in case of failure. For example, you can set up a failover policy to route traffic from one availability zone or region to another if that zone or region becomes unavailable.