Control traffic with policies
Use Gloo Gateway policies to control the traffic within your cluster environment. Review the following available policies or learn how to apply policies to your resources.
Resilience policies
Active healthcheck
Use the ingress gateway to periodically check the health of an upstream service in your cluster.
Connection pool settings for HTTP
Use a connection policy to configure connection pool settings for an HTTP destination.
Connection pool settings for TCP
Set up connection pool settings for a TCP destination, such as TCP keepalive.
Fault injection
Test the resilience of your apps by injecting delays and connection failures.
Outlier detection
Configure Gloo to remove unhealthy destinations from the connection pool, and add the destinations back when they become healthy again.
Retry and timeout
Reduce transient failures and hanging systems by setting retries and timeouts.
Security policies
Client TLS
Enable TLS origination on your ingress gateway so that you can accept incoming HTTP requests, encrypt them, and forward the requests to services that only accept HTTPS connections.
CORS
Enforce client-site access controls with cross-origin resource sharing (CORS).
CSRF
Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks.
Data Loss Prevention
Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks.
External auth
Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication.
JWT
Control access or route traffic based on verified claims in a JSON web token (JWT).
WAF
Filter, monitor, and block potentially harmful HTTP traffic with a Web Application Firewall (WAF) policy.
Traffic control policies
Header manipulation
Append or remove HTTP request and response headers at the route level.
HTTP buffer filter
Set the maximum request body size that you want to accept for a particular workload in your cluster.
Listener connection
Configure connection settings between downstream services and a gateway listener.
Load balancer and consistent hash
Specify how you want the ingress gateway to select an upstream service to serve an incoming client request.
Mirror
Duplicate outgoing traffic to test a new app.
Proxy protocol
Preserve connection information such as the client IP address for traffic that goes through your gateway listener.
Rate limit
Control the rate of requests to a destination or route.
Transformation
Alter a request before matching and routing, such as with an Inja header template.
Gloo Mesh service mesh workload policies
You can use the following policies to log or control traffic to service mesh workloads in east-west scenarios.
To use this feature, you must have a Gloo Mesh license in addition to your Gloo Gateway license.
Access
Control access for workloads in your service mesh environment.
Failover
Use a failover policy to determine where to reroute traffic in case of failure.
Trim proxy config
Trim the number of destinations in the Istio sidecar proxy configuration for your workloads to avoid memory pressure issues.
WebAssembly (Wasm) deployment
Add a Wasm filter to the Envoy sidecar proxy, for use cases such as customizing the endpoints and thresholds for your workloads.
TLS policies
CA cert options
Create a policy for custom CA certificates.Vault
Create a policy for Vault-managed certificates.
