Supported features

Review the features that are supported for ambient mesh workloads in the current Gloo Mesh release.

Gloo features

Gloo feature Supported/ coming soon Description
Single cluster setup Set up the Gloo components and enable the Gloo Mesh Enterprise agent in a single cluster.
Multi-cluster setup Coming soon Set up an ambient mesh that spreads multiple clusters, and use Gloo to centrally manage the multi-cluster, multi-mesh setup.
Central management with Gloo Leverage the full Gloo Platform stack, including central management with the Gloo management server, built-in Prometheus metrics, observability via the Gloo UI, and access to various traffic policies to protect the apps in your cluster.
Waypoint proxy lifecycle management and customization A waypoint proxy is automatically created when you create a Gloo route table for traffic between your apps or an L7 traffic policy, such as a fault injection policy, and apply it to an ambient workload in your cluster. You can optionally override the default waypoint proxy specification in Gloo Mesh to create multiple waypoint proxy replicas by default.
Gloo UI Monitor the traffic between ambient workloads, and review workspace, networking, and policy configurations with the Gloo UI.
Service isolation with workspaces Enable service isolation for Kubernetes services that belong to the same Gloo workspace.
Workspace federation Coming soon Allow services in different clusters to communicate with each other by enabling workspace federation.
Sidecar to sidecarless (and vice versa) Coming soon Run ambient and non-ambient workloads in the same cluster, and allow these workloads to communicate with each other.

Routing options

Routing option Supported/ coming soon Description
Direct response Instead of routing a request to the target app, you send back a direct response to clients.
Header matching Define a set of headers that requests must match to be routed in the ambient mesh.
Query parameter matching Define the query parameters that requests must match to be routed in the ambient mesh.
HTTP method matching Define the HTTP method that requests must match to be routed in the ambient mesh.
URI path matching Define the path that requests must match to be routed in the ambient mesh.
Host redirect Redirect requests to another host.
Path redirect Redirect requests to another path.
Host rewrite Overwrite the host value before forwarding the request to the target app.
Path rewrite Overwrite the path value before forwarding the request to the target app.
Route to Kubernetes services Route requests within your ambient mesh.
Route to virtual destinations Coming soon Expose apps within the mesh under an internal hostname, and use this hostname to send requests to apps across clusters.
Route to external services Coming soon Route requests from ambient workloads to endpoints that are located outside the ambient mesh.
Route traffic to delegated route table Coming soon Delegate incoming traffic for an app to another Gloo route table.

Gloo policies

The order in which policies are applied in an ambient mesh differs from the order they are applied in a service mesh that is based on the Istio sidecar architecture. In particular, the failover and outlier detection policies are applied before traffic policies are applied, such as fault injection, timeouts, or retries.

Policy Supported/ coming soon Description
Header manipulation Add or remove request and response headers before forwarding the request or response.
Fault injection Inject delays or connection failures in to your apps to test app resiliency.
Mirroring Send a copy of live traffic to a mirrored service.
Timeout Specify the time an app can be unresponsive before it is considered unhealthy.
Retry Specify the number of times a Gloo Mesh tries to connect to an unresponsive app before it is removed from the load balancing pool.
CORS Enforce client-site access controls with cross-origin resource sharing (CORS).
Access Control access to a Kubernetes service in your ambient mesh.
Outlier detection Detect unhealthy apps and temporarily remove them from the load balancing pool.
Failover Define where to reroute traffic in case of a failure.
CSRF (✅) Only with Gloo Gateway license: Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
External auth (✅) Only with Gloo Gateway license: Set up external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
Rate limiting (✅) Only with Gloo Gateway license: Control the rate of requests to destinations in the ambient mesh. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
Access logs Coming soon Configure how access logs are recorded for your services.
JWT Coming soon Control access or route traffic based on verified claims in a JSON web token (JWT).
Transformation Coming soon Alter a request before matching and routing, such as with an Inja header template.
TCP connection Coming soon Set up connection pool settings such as keepalive for TCP protocols.
Wasm Coming soon Apply WebAssembly filters to requests before forwarding them to the target app.
WAF Coming soon Filter, monitor, and block potentially harmful HTTP traffic with a Web Application Firewall (WAF) policy.