Gloo Platform products

With Gloo Platform, you get a suite of tools to consistently and securely manage your L3-L7 network application traffic. Gloo consists of an installable set of platform management tools that you install in a Kubernetes-based cluster via the Gloo CLI (meshctl) or Helm. Then, you unlock various network management capabilities with product or module licenses, as shown in the following figure.

Figure: Gloo Platform provides a consistent, secure management experience across Gloo products that help you manage L3-L7 network application traffic.

Shared platform management

When you install Gloo in your cluster, you get several components to provide custom resources, observability, and management capabilities for the product licenses that you have. These components run in your cluster even if you do not add a product license, in which case the components do not report back any data until you start using a product.

The following table describes the components and which products use the components.

Component Products that use component Description
Gloo management server Gateway, Mesh, Network The management server maintains the desired state of your environment based on the configurations that you create. The server translates Gloo custom resources to the appropriate open source custom resources (such as Istio, Envoy, or Cilium). Then, the server pushes config changes to the agents to apply in the workload clusters.
Gloo workload agent Gateway, Mesh, Network The agents send product-specific metrics and snapshots of the resources from each workload cluster to the management server.
Prometheus Gateway, Mesh, Network The default Prometheus deployment scrapes metrics from the Gloo management server. You can also bring your own instance.
Gloo UI Gateway, Mesh, Network With the UI, you can review the health and configuration of Gloo custom resources, including registered clusters, workspaces, networking, policies, and more. You can even set up external authentication that is synchronized with Kubernetes role-based access control to manage how your users access the UI.
External auth server Gateway, Mesh Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication.
Rate limiting server Gateway, Mesh Control the rate of requests to destinations within the service mesh.
Redis Gateway, Mesh, Network Redis instances are used to store state data for several Gloo components. You can optionally bring your own Redis instance.
  • Management server: Gloo stores the state of the custom resources in each registered cluster in Redis. If you see state reconciliation errors, you can try restarting Redis.
  • Dashboard: The Gloo UI (dashboard) uses the data in Redis to display resources in the UI.
  • External auth (Gateway, Mesh): The external auth server stores its configuration data in a Redis instance that is separate from the one that the management server and dashboard use.
  • Rate limiting (Gateway, Mesh): The rate limiting server stores its configuration data in a Redis instance that is separate from the one that the management server and dashboard use.

Licensed products

Product licenses unlock certain capabilties in Gloo Platform. For example, with a Gloo Mesh license, your Gloo Platform agent installs Mesh custom resource definitions (CRDs) in each registered cluster. With these CRDs, you can consistently manage your application networking resources across clusters.

Product Related open source projects Description
Gateway Envoy, Istio Gloo Gateway is an API gateway based on Envoy and Istio open source technologies. A gateway license unlocks custom resources such as virtual gateways, route tables, and policies so that you can control network traffic into (ingress) and out from (egress) your clusters. You get traffic manipulation features, such as Envoy filters for resilience and transformation. You can also secure ingress traffic with security filters such as web application firewall (WAF), data loss prevention (DLP), external auth, and rate limiting.
Mesh Istio Gloo Mesh manages Istio-based service meshes across clusters and infrastructure providers. A mesh license unlocks hardened, FIPS-compliant Istio images with n-4 version support. You get a simplified management experience for multi-tenancy, service isolation, federation, and east-west traffic management. Gloo Mesh even automatically discovers your Istio resources and translates them into the appropriate Gloo custom resources so that intelligent, multicluster failover works out of the box.
Network eBPF, Cilium Gloo Network is a Cilium-based container network interface (CNI) plug-in that leverages the Linux kernel technology eBPF to provide connectivity, security, and observability for containerized workloads. You can use Gloo policies to consistently apply L3 and L4 access control across all the services in your multi-cluster environment. If you use Network with Mesh or Gateway, you can even reuse the same access policies to add L7 access control.

Licensed modules

Modules further extend select products with licensed capabilities. The license that you use when installing or upgrading Gloo Platform can include both a product and module, instead of separate licenses. For example, you might have a Gloo Gateway with GraphQL license to use the Gateway product along with the GraphQL module.

Module Products the module can extend Description
Portal Gateway With Gloo Portal, you can bundle and secure access to your APIs through a customizable developer portal. The portal supports the OpenAPI specification (OAS), also known as Swagger. Because the APIs must be available externally, Portal works only with Gateway.
GraphQL Gateway, Mesh GraphQL is a server-side query language and runtime you can use to expose your APIs as an alternative to REST APIs. GraphQL allows you to request only the data you want and handle any subsequent requests on the server side, saving numerous expensive origin-to-client requests by instead handling requests in your internal network. By building GraphQL capabilties into the Gloo ingress or east-west gateways, Gloo extends GraphQL with route-level networking logic. For example, the gateway might rate limit, authorize, and authenticate requests. To set up GraphQL in your Gloo environment, check out the GraphQL guides in the Gloo Gateway documentation.