• Set up Gloo Mesh
      • Deploy sample apps
      • Set up routing for sample apps
      • Apply a policy and explore the UI
      • Tutorial: Federate clusters and isolate workloads for multitenancy
      • Set up Gloo Mesh
      • Deploy sample apps
      • Apply a policy and explore the UI
      • Gloo Platform products
      • Platform architecture
      • Relay architecture
      • Gloo Mesh overview
      • Benefits
      • API concepts
        • Apply policies
        • Import and export policies
        • Supported policies in Gloo Mesh Enterprise
      • Personas
      • What is a service mesh?
      • What is Istio?
      • Install the meshctl CLI
      • Licensing
      • System requirements
      • Installation options
      • Install with Helm
      • Install with Argo CD
      • Install in air-gapped environments
      • Verify Helm charts
      • Best practices for production
        • About backing databases
        • External auth server
        • Gloo UI
        • Management server
        • Portal server
        • Rate limiter
          • Istio CA overview
            • Setup options
            • Certificate rotation overview
            • Manage the entire Istio CA lifecycle
            • Manage Istio intermediate CAs
            • Integrate with Vault
            • AWS
          • Setup options
          • Certificate rotation overview
          • Insecure setup
            • Self-signed server certificate
            • BYO server certificate
            • Self-signed server certificate with managed client certificates
            • BYO server certificate with managed client certificate
              • OpenSSL
              • AWS
              • Vault
      • Control user access to Gloo resources
        • About onboarding external workloads
        • AWS instances
        • Azure instances
        • GCP instances
        • On-prem instances
      • High availability and disaster recovery
        • Set up multitenancy with workspaces
          • Overview
          • Workspace configuration
          • Import and export resources across workspaces
          • Workspaces as service discovery boundaries
          • Persona-driven workspace setup
    • Upgrade
    • Uninstall
    • Service mesh options
      • Overview
      • Supported Solo distributions of Istio
      • Deploy Gloo-managed service meshes
      • Upgrade Gloo-managed service meshes
      • Take over existing Istio installations
    • Install Istio with EKS add-on
      • Best practices for Istio in prod
      • Manually deploy Istio
      • Upgrade Istio
      • Switch from unmanaged to managed Istio installations
      • Routing overview
      • Intra-mesh routing
      • Multicluster routing
      • Routing to external services
      • Federated services
        • Route table delegation
        • Route label inheritance
        • Route matcher inheritance
        • Route policy attachment
        • Route table failure modes
      • URI path matching
      • Header matching
      • Query parameter matching
      • HTTP method matching
      • Route within or across clusters
        • Route to an external service directly
        • Create internal DNS entries for external endpoints
        • Block egress traffic with an egress gateway
      • Additional route settings
    • Direct response
    • Redirects and rewrites
    • Route delegation
    • GraphQL
    • Header manipulation
    • Load balancing and consistent hashing
    • Mirroring
    • Transformation
      • Security overview
      • Gloo components
      • Service mesh traffic
      • User access
      • Applications
      • Underlying infrastructure
    • Access policy
    • CORS
      • About
      • External auth server setup
      • Basic external auth policy
      • API keys
      • LDAP
        • About
        • OPA with Rego rules in config maps
        • OPA server as a sidecar
        • Bring your own OPA server
        • API key and OPA
      • About
      • Basic JWT example
      • JWT for mesh routes
      • Multiple JWT providers
      • JWT claim- and scope-based auth
      • About
      • Rate limit server setup
      • Basic rate limit policy
      • More rate limit policy examples
    • Adaptive request concurrency
    • Connection pool settings for HTTP
    • Failover
    • Fault injection
    • Outlier detection
    • Retry and timeout
    • TCP connection
      • About
      • Trim proxy config policy
      • Trim proxy in workspace settings
    • About the telemetry pipeline
      • Overview
        • Overview
        • Explore the UI
        • Configure the UI for HTTPS
        • Connect the Gloo UI to OpenShift Prometheus
          • Overview
          • External auth with Google
          • External auth with Dex
          • External auth with Okta
          • OIDC settings in Helm
          • RBAC for resources in the UI
        • Overview
        • Sample PromQL queries
        • Metrics
        • Alerts
        • Customization options
        • Overview
        • Set up and access Grafana
        • Import the operations dashboard
        • Import the OPA dashboard
      • Jaeger
      • Istio access logs
      • Add Istio request traces
      • Collect compute instance metadata
      • Forward metrics to Datadog
      • Forward metrics to OpenShift
      • Gloo Mesh Enterprise versions
      • Open Source attribution
      • Feature gates
      • Release notes
      • Gloo Mesh Enterprise changelog
      • Solo distribution of Istio changelog
      • Overview
      • AccessLogPolicy
      • AccessPolicy
      • ActiveHealthCheckPolicy
      • AdaptiveRequestConcurrencyPolicy
      • ApiDoc
      • ApiSchemaDiscovery
      • ApprovalState
      • AuthConfig
      • CaOptions
      • Clientmode
      • ClientTlsPolicy
      • CloudProvider
      • CloudProviderOptions
      • CloudResources
      • ConnectionPolicy
      • Core
      • CorsPolicy
      • CsrfPolicy
      • Cue
      • Dashboard
      • DlpPolicy
      • EnforcementLayers
      • ExtAuthPolicy
      • ExtAuthServer
      • ExternalEndpoint
      • ExternalService
      • ExternalWorkload
      • FailoverPolicy
      • FaultInjectionPolicy
      • GatewayLifecycleManager
      • GraphQLAllowedQueryPolicy
      • GraphQLPersistedQueryCachePolicy
      • GraphQLResolverMap
      • GraphQLSchema
      • GraphQLStitchedSchema
      • HeaderManipulation
      • HttpBufferPolicy
      • HttpMatchers
      • InsightsConfig
      • InternalAdmin
      • IstioLifecycleManager
      • IstioOperator
      • JwtPolicy
      • K8SReports
      • Keepalive
      • KubernetesCluster
      • ListenerConnectionPolicy
      • LoadBalancerPolicy
      • Locality
      • MirrorPolicy
      • OutlierDetectionPolicy
      • Phase
      • Port
      • Portal
      • PortalGroup
      • ProxyProtocolPolicy
      • Ratelimit
      • RatelimitClientConfig
      • RatelimitPolicy
      • RatelimitServerConfig
      • RatelimitServerSettings
      • Ref
      • References
      • RetryTimeoutPolicy
      • RootTrustPolicy
      • RouteTable
      • Selectors
      • SoloKit
      • Status
      • StringMatch
      • TcpMatchers
      • TlsMatchers
      • TransformationPolicy
      • TrimProxyConfigPolicy
      • VaultCa
      • VirtualDestination
      • VirtualGateway
      • WafPolicy
      • Workspace
      • WorkspaceSettings
      • Helm chart overview
      • Gloo Platform
      • Gloo Platform CRDs
      • meshctl
      • meshctl check
      • meshctl check server
      • meshctl cluster
      • meshctl cluster deregister
      • meshctl cluster list
      • meshctl cluster register
      • meshctl dashboard
      • meshctl debug
      • meshctl debug report
      • meshctl experimental
      • meshctl experimental dump-reports
      • meshctl experimental switch-active
      • meshctl external-workload
      • meshctl external-workload bug-report
      • meshctl external-workload generate-token
      • meshctl external-workload install
      • meshctl external-workload onboard
      • meshctl external-workload uninstall
      • meshctl generate
      • meshctl generate graphql
      • meshctl generate graphql grpc
      • meshctl install
      • meshctl license
      • meshctl license check
      • meshctl logs
      • meshctl migrate
      • meshctl migrate helm
      • meshctl migrate helm-values
      • meshctl precheck
      • meshctl proxy
      • meshctl uninstall
      • meshctl version
      • CVE lifecycle handling
      • Security and CVE scan results
    • Gloo Mesh scalability
    • Gloo component permissions
    • General debugging
      • Management server and relay connection
      • Add-ons
      • Agent
      • Custom resources
      • Observability pipeline
      • Policies
      • Redis
      • Routes
      • UI graph
      • ELB health checks in AWS fail
      • Istio gateway installation times out
      • Istio
      • Istio and gateway lifecycle manager
      • Knative
      • Bookinfo apps pending
      • Ephemeral containers
    • About Solo Support
    • Submit a request
    • Add support information
  • open_in_new Gloo Mesh Gateway
    • main
    • 2.6 (latest)
    • 2.5
    • 2.4
    • 2.3
    • GitHub
    • Twitter / X
  • to navigate
  • to select
  • to close
    • Home
    • Security
    On this page

    Security

    Use Gloo policies to secure the traffic within your service mesh environment.

    article

    Concepts

    Learn about how to secure your service mesh.

    article

    Access policy

    Control access for workloads in your service mesh.

    article

    CORS

    Specify external domains that can access your routes with cross-origin resource sharing.

    article

    External authentication and authorization

    Set up an external authentication, such as basic, passthrough, API key, OAuth, OPA, or LDAP.

    article

    JWT

    Control access or route traffic based on verified claims in a JSON web token (JWT).

    article

    Rate limiting

    Control the rate of requests to destinations within the service mesh.

    Solo.io copyright 2024