Gloo features

Gloo featureSupported/ coming soonDescription
Support for any CNIYou can run Gloo Mesh in ambient mode on any CNI, such as Cilium, Calico, or cloud provider-specific CNIs.
Single cluster setupSet up the Gloo components and enable the Gloo Mesh Enterprise agent in a single cluster.
Multicluster setupComing soonSet up an ambient mesh that spreads multiple clusters, and use Gloo to centrally manage the multicluster, multi-mesh setup.
Central management with GlooLeverage the full Gloo Platform stack, including central management with the Gloo management server, built-in Prometheus metrics, observability via the Gloo UI, and access to various traffic policies to protect the apps in your cluster.
Gloo UIMonitor the traffic between ambient workloads, and review workspace, networking, and policy configurations with the Gloo UI.
Service isolation with workspacesEnable service isolation for Kubernetes services that belong to the same Gloo workspace.
Workspace federationComing soonAllow services in different clusters to communicate with each other by enabling workspace federation.
Sidecar to sidecarless (and vice versa)Coming soonRun ambient and non-ambient workloads in the same cluster, and allow these workloads to communicate with each other.

Routing options

Routing optionSupported/ coming soonDescription
Direct responseInstead of routing a request to the target app, you send back a direct response to clients.
Header matchingDefine a set of headers that requests must match to be routed in the ambient mesh.
Query parameter matchingDefine the query parameters that requests must match to be routed in the ambient mesh.
HTTP method matchingDefine the HTTP method that requests must match to be routed in the ambient mesh.
URI path matchingDefine the path that requests must match to be routed in the ambient mesh.
Host redirectRedirect requests to another host.
Path redirectRedirect requests to another path.
Host rewriteOverwrite the host value before forwarding the request to the target app.
Path rewriteOverwrite the path value before forwarding the request to the target app.
Route to Kubernetes servicesRoute requests within your ambient mesh.
Route to virtual destinationsComing soonExpose apps within the mesh under an internal hostname, and use this hostname to send requests to apps across clusters.
Route to external servicesComing soonRoute requests from ambient workloads to endpoints that are located outside the ambient mesh.
Route traffic to delegated route tableComing soonDelegate incoming traffic for an app to another Gloo route table.

Gloo policies

PolicySupported/ coming soonDescription
Access(✅)Control access for workloads in your service mesh.Note that upstream Ambient is currently in alpha status and might have limitations or bugs that impact access policies. In particular, you cannot mix Layer 4 and Layer 7 policies.
Active healthcheckComing soonUse the ingress gateway to periodically check the health of an upstream service in your cluster.
Client TLS policyComing soonEnable TLS origination for your ingress gateway so that you can encrypt requests before they are forwarded to HTTPS services in your cluster.
Connection pool settings for HTTPComing soonUse a connection policy to configure connection pool settings for an HTTP destination.
Connection pool settings for TCPComing soonSet up connection pool settings for a TCP destination, such as TCP keepalive.
CORSEnforce client-site access controls with cross-origin resource sharing (CORS).
CSRF(✅)Only with Gloo Gateway license: Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
Data loss prevention(✅)Only with Gloo Gateway license: Ensure that sensitive data isn’t logged or leaked with Data Loss Prevention (DLP).
External auth(✅)Only with Gloo Gateway license: Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
FailoverUse a failover policy to determine where to reroute traffic in case of failure.
Fault injectionTest the resilience of your apps by injecting delays and connection failures.
Header manipulationAppend or remove HTTP request and response headers at the route level.
HTTP buffer filter(✅)Only with Gloo Gateway license: Set the maximum request body size that you want to accept for a particular workload in your cluster. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
JWTControl access or route traffic based on verified claims in a JSON web token (JWT).
Listener connectionComing soonConfigure connection settings between downstream services and a gateway listener.
Load balancer and consistent hashComing soonSpecify how you want Istio to select an upstream service to serve an incoming client request.
MirroringDuplicate outgoing traffic, to test a new app.
Outlier detectionConfigure Gloo to remove unhealthy destinations from the connection pool, and add the destinations back when they become healthy again.
Proxy protocolComing soonPreserve connection information such as the client IP address for traffic that goes through your gateway listener.
Rate limiting(✅)Only with Gloo Gateway license: Control the rate of requests to destinations within the service mesh. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
Retry and timeoutReduce transient failures and hanging systems by setting retries and timeouts.
TransformationAlter a request before matching and routing, such as with an Inja header template.
Trim proxy configTrim the number of destinations in the Istio sidecar proxy configuration for your workloads to avoid memory pressure issues.
WAF(✅)Only with Gloo Gateway license: Filter, monitor, and block potentially harmful HTTP traffic with a Web Application Firewall (WAF) policy. Note that this policy can only be applied to an ingress gateway and requires a separate Gloo Gateway license.
WasmComing soonAdd a Wasm filter to the Envoy sidecar proxy, for use cases such as customizing the endpoints and thresholds for your workloads.