Gloo Platform products

With Gloo Platform, you get a suite of tools to consistently and securely manage your L3-L7 network application traffic. Gloo consists of an installable set of platform management tools that you install in a Kubernetes-based cluster via the Gloo CLI (meshctl) or Helm. Then, you unlock various network management capabilities with product or module licenses, as shown in the following figure.

Figure: Gloo Platform provides a consistent, secure management experience across Gloo products that help you manage L3-L7 network application traffic.

Shared platform management

When you install Gloo in your cluster, you get several components to provide custom resources, observability, and management capabilities for the product licenses that you have. These components run in your cluster even if you do not add a product license, in which case the components do not report back any data until you start using a product.

You can also choose to install several optional components to extend functionality, such as rate limiting and external authentication servers. Finally, you can use Gloo Platform to manage open source components for your gateway and service mesh, such as Istiod.

For more information about these components, see Platform architecture.

Licensed products

Product licenses unlock certain capabilties in Gloo Platform. For example, with a Gloo Mesh license, your Gloo Platform agent installs Mesh custom resource definitions (CRDs) in each registered cluster. With these CRDs, you can consistently manage your application networking resources across clusters.

Product licenses unlock certain capabilities in Gloo Platform. Gloo products are built on hardened Solo images of related open source projects.

Product OSS projects Description
Gateway Envoy, Istio Gloo Mesh Gateway is an API gateway based on Envoy and Istio open source technologies. A gateway license unlocks custom resources such as virtual gateways, route tables, and policies so that you can control network traffic into (ingress) and out from (egress) your clusters. You get traffic manipulation features, such as Envoy filters for resilience and transformation. You can also secure ingress traffic with security filters such as web application firewall (WAF), external auth, and rate limiting. You can enhance your API gateway with additional modules, such as GraphQL, support for routing to AWS Lambdas, and a developer portal. Keep in mind that for internal service mesh traffic management, you need a Gloo Mesh Enterprise license alongside Gloo Mesh Gateway. For example, without a mesh license, you cannot use workload selectors on route tables; route tables without a virtual gateway; or access, access log, failover, or WebAssembly (Wasm) policies.
Mesh Istio, eBPF, Cilium Gloo Mesh manages Istio-based service meshes across clusters and infrastructure providers, and secures communication between workloads via mTLS. A mesh license unlocks hardened, FIPS-compliant Istio images with n-4 version support. You get a simplified management experience for multitenancy, service isolation, federation, and east-west traffic management. Gloo Mesh even automatically discovers your Istio resources and translates them into the appropriate Gloo custom resources so that intelligent, multicluster failover works out of the box. You also get Gloo custom resources to manage internal mesh routing, including virtual gateways, route tables, and policies such as external auth and rate limiting. Keep in mind that for advanced ingress routing features, you need a Gloo Mesh Gateway license alongside Gloo Mesh Enterprise. For example, without a gateway license, you cannot use cloud resources or AWS Lambda; advanced listener configuration such as TLS for ingress routes; add-ons such as external auth, rate limiting, or the developer portal for non-mesh ingress use cases; or policies that apply to ingress routes such as Web Application Firewall (WAF).

Gloo Mesh also includes support for Solo distributions of Cilium, you can deploy the Cilioum CNI to your clusters and use Cilium network policies to allow or drop packages between apps on layer 3 and 4 of the OSI Networking model. Cilium is an open source technology and a highly scalable Kubernetes Container Network Interface (CNI) that provides cloud-native networking connectivity, security, and observability for container-based workloads, such as in Kubernetes and Docker. To provide advanced networking and security controls, Cilium leverages the Linux kernel technology eBPF, and you can even reuse the same access policies for both L3/L4 and L7 access control.

Licensed modules

Modules further extend select products with licensed capabilities. The license that you use when installing or upgrading Gloo Platform can include both a product and module, instead of separate licenses. For example, you might have a Gloo Gateway with GraphQL license to use the Gateway product along with the GraphQL module.

You can extend the capabilities of Gloo products with modules. Modules are typically bundled together in the same license as the product license.

Module Compatible projects Description
GraphQL Gateway, Mesh GraphQL is a server-side query language and runtime you can use to expose your APIs as an alternative to REST APIs. GraphQL allows you to request only the data you want and handle any subsequent requests on the server side, saving numerous expensive origin-to-client requests by instead handling requests in your internal network. By building GraphQL capabilties into the Gloo ingress or east-west gateways, Gloo extends GraphQL with route-level networking logic. For example, the gateway might rate limit, authorize, and authenticate requests. To set up GraphQL in your Gloo environment, check out the GraphQL guides in the Gloo Mesh Gateway documentation.