Gloo Mesh Gateway is an abstraction built on Istio's ingress gateway model, which uses an Envoy proxy as the ingress gateway into and out of your multicluster service mesh environment. Gloo Mesh adds powerful multicluster, multimesh capabilities. You use custom resources such as Gloo Mesh virtual gateways, route tables, and policies to simplify configuring ingress traffic rules. You can even reuse the same external auth, rate limiting, and policies as for your east-west traffic. Because these resources offer declarative, API-driven configuration, you can easily integrate Gloo Mesh Gateway into your existing GitOps and CI/CD workflows.
With Gloo Mesh Gateway, you get a Layer 7 load-balancing solution that is built on open source projects. Envoy is a graduated CNCF project, and Istio recently applied to join the CNCF. Solo is a leader within both of these communities and can help you get the most value out of your investment in open source technology. With this open source foundation, you can configure a portable, vendor-neutral solution across cloud providers.
Furthermore, Gloo Mesh Gateway completely integrates with your multicluster service mesh environment from Day 1. You can use the same ingress gateway for multiple clusters and domains. By using the virtual gateway resource, you can configure Istio ingress gateways across clusters and namespaces in your Gloo Mesh workspace. Such support enables you to set up advanced resiliency scenarios, such as locality-based routing and traffic failover.
Gloo Mesh Gateway even lets you add services and functions that are external to your cluster environment to the mesh. For example, you might onboard a VM to the service mesh, or create external services and endpoints that refer to a database that runs in an on-prem machine.
Gloo Mesh Gateway works with a suite of Gloo Mesh policies for advanced traffic management that is essential for your distributed, cloud-native apps. Highlights of these policies include the following benefits:
- Upgrading services through canary deployments that can shift traffic to different versions based on a customizable percentage.
- Mirroring, or copying, requests to a “shadow” environment so that you can test upgrades before rolling out to production.
- Adding resiliency to your apps with timeouts, retries, and circuit breaking.
- Injecting faults to simulate abnormal conditions and perform stress tests of your apps.
- Transforming requests in a number of different ways, from simple HTTP redirects or prefix rewrites, to more advanced header and body manipulations for identity-based routing.
The policy “filters” that you can use with Gloo Mesh Gateway are highly extensible, and set you up for cutting edge adoption of technologies such as WebAssembly (Wasm), GraphQL, and eBPF.
Gloo Mesh Gateway can terminate TLS sessions before they reach your apps. You can configure the virtual gateway to use your own TLS certificates for each domain that it listens on. Such configuration means that you can use different certificates for different apps, to meet security standards.
You can also integrate identity providers with external authentication and authorization policies. Then, Gloo Mesh Gateway can make routing decisions based on the identity of the requestor.
You can apply several different policies to prevent threats before they reach your mesh, such as auth, web application firewall (WAF), and rate limiting.
Gloo Mesh provides a variety of observability features to help you analyze the traffic that flows through your gateways. Some metrics are automatically generated and sent to the Gloo Mesh UI, where you can view your gateways as well as traffic flows in a graph based on Prometheus data. You can also set up access logs and other tracing. Together, these observability features help you troubleshoot issues with app performance.