AboutGloo Mesh Enterprise is a multicluster and multimesh management plane that is based on hardened, open-source projects like Envoy and Istio. With Gloo Mesh, you can unify the configuration, operation, and visibility of service-to-service connectivity across your distributed applications. These apps can run in different virtual machines (VMs) or Kubernetes clusters on premises or in various cloud providers, and even in different service meshes.
What is Gloo Mesh?
Gloo Mesh Enterprise is a distribution of the Istio service mesh that is hardened for production support across multicluster hybrid clusters and service meshes. Gloo Mesh Enterprise includes
n-4 Istio version support with security patches to address Common Vulnerabilities and Exposures (CVE), as well as special builds to meet regulatory standards such as Federal Information Processing Standards (FIPS).
The Gloo Mesh API simplifies the complexity of your service mesh by installing custom resource definitions (CRDs) that you configure. Then, Gloo Mesh translates these CRDs into Istio resources across your environment, and provides visibility across all of the resources and traffic. Enterprise features include multi-tenancy, global failover and routing, observability, east-west rate limiting and policy enforcement through authorization and authentication plug-ins, and north-south traffic control through the Gloo Mesh Gateway Envoy proxy module.
The following figure depicts how Gloo Mesh Enterprise ties together your hybrid cloud strategy for managing ingress and egress across services that run anywhere.
Why use Gloo Mesh Enterprise?
With Gloo Mesh Enterprise, you get an extensible, open-source based set of API tools to connect and manage your services across multiple clusters and service meshes.
Have more questions about how Gloo Mesh simplifies application networking concepts in Kubernetes and Istio? Review the YouTube playlist of 1-2 minute long video answers to frequently asked questions about Gloo Mesh, Istio, and other topics about securing application networking traffic. For more information, see the FAQ page on the Solo.io website.
Use Gloo Mesh as a complete service mesh and API gateway management solution
With an increasingly distributed environment for your apps, you need a flexible, open-source based solution to help meet your traditional and new IT requirements. Solo is laser-focused on developing the best service mesh and API gateway solutions, unlike other offerings that might be a small part of a vendor-locked in solution. Furthermore, Gloo Mesh Enterprise is built with the following six principles.
- Secure: You need a zero-trust model and end-to-end controls to implement best practices, comply with strict regulations like FIPS, and reduce the risk of running older versions with security patching.
- Reliable: You need a robust, enterprise-grade tool with features like priority failover and locality-aware load balancing to manage your service mesh and API gateway for your mission-critical workloads.
- Unified: You need one centralized tool to manage and observe your application environments and traffic policies at scale.
- Simplified: Your developers need a simple, declarative, API-based method to provide services to your apps without further coding and without needing to understand the complex technologies like Istio and Kubernetes that underlie your environments.
- Comprehensive: You need a complete solution for north-south ingress and east-west service traffic management across infrastructure resources on-premises and across clouds.
- Modern and open: You need a solution that is designed from the ground up on open-source, cloud-native best practices and leading projects like Kubernetes and Istio to maximize the portability and scalability of your development processes.
See how Gloo Mesh is an Outperformer and Leader in the service mesh space in the following GigaOM Radar report.
Use Gloo Mesh Enterprise for production-ready support
Hardening and managing open source distributions is time-consuming and costly. Your engineering resources can be better invested in developing higher-value services that enhance your core business offerings. In the following table, review the benefits of using an enterprise license instead of open source. Then, continue reading for the benefits of using Gloo Mesh Enterprise in single and multiple clusters.
Looking for a full list of features compared against what's available in open source? See the Feature comparison on the product website.
|Benefit||Gloo Mesh Enterprise||Gloo Mesh Open Source||Community Istio|
|Upstream-first approach to feature development||✅||✅||✅|
|Installation, upgrade, and management across clusters and service meshes||✅||✅||❌|
|Advanced features for security, traffic routing, tranformations, observability, and more||✅||❌||❌|
|End-to-end Istio support and CVE security patching for
|Specialty builds for distroless and FIPS compliance||✅||❌||❌|
|24x7 production support and one-hour Severity 1 SLA||✅||❌||❌|
|Gateway, Web Assembly, and Portal modules to extend functionality||✅||❌||❌|
Single cluster benefits
With the move to containerized applications, you might find yourself managing a Kubernetes or OpenShift cluster with hundreds of namespaces that each contain several microservices that different development teams are responsible for deploying. You can use Gloo Mesh to manage your application networking across namespaces.
Simplify service mesh managementUsing the Gloo Mesh API helps you simplify your networking setup because you can write advanced configurations one time and apply the same configuration in multiple places and different contexts. For example, you can write a rate limit or authentication policy once. Then, you can apply this policy to all the east-west traffic of the services within your multicluster mesh. If you use Gloo Mesh Gateway, you can even apply the same policy to north-south traffic that enters the service mesh via the ingress gateway.
This API- and CRD-based approach can be integrated into your continuous integration, continuous development (CI/CD) DevOps and GitOps workflows, so that you can track changes, control promotions, roll back when needed, and otherwise automate your processes.
Harden your service mesh lifecycle with n-4 Istio supportGloo Mesh Istio is a hardened Istio enterprise image to maintain
n-4support for CVEs and other security fixes longer than the community Istio, which provides
n-1support with an additional 6 weeks of extended time to upgrade the
n-1. Based on a cadence of 1 release every 3 months, Gloo Mesh's n-4 support provides an extra 9 months to run the hardened Istio version of your choice, compared to an open source strategy that also lacks enterprise support. Note that all backported functionality is available in the upstream community Istio, as there are no proprietary features or forked capabilities from community Istio.
For more information, see Version support.
Set up a zero-trust architecture for both north-south ingress and east-west service traffic
You can set up a zero-trust architecture where trust is established by the attributes of the the request, requestor, or environment. By default, no communication is allowed. Use access policies to control which services can communicate across or outside the service mesh.
Then, you can review which running services match the criteria in your policies and can communicate, such as in the following figure. Additionally, you can implement other security measures such as control authorization and authentication (AuthZ/AuthN) for, rate limit, and otherwise shape traffic that enters or travels across your cluster. For more information, see the Guides.
Publish your API catalog with Gloo Portal
With the Gloo Portal module for Gloo Mesh, your development team can quickly bundle and publish the APIs that run in your service mesh through a CRD-based, self-service portal. Then, you can issue API keys, rate limit, and otherwise control how your API services are used externally. The following figure shows how you might customize your collection of APIs for a pet store.
For more information, see the Portal module.
Control access with role-based APIs
Create self-service workspaces by delegating ownership of the service mesh APIs such as by namespace. You can create roles for developers, site reliabilty engineers (SREs), and system administrators to scope their ability configure custom resources like traffic policies or virtual meshes.
For more information, see the Role-based API guide.
Similar to a containerized microservices architecture, modern infrastructure architectures favor a distributed environment of many smaller deployment targets, like multiple clusters, for reasons such as the following.
- Fault tolerance
- Compliance and data access
- Disaster recovery
- Scaling needs
- Geographic needs
In addition to all of the benefits you get with single clusters, Gloo Mesh Enterprise helps solve some of your toughest multicluster challenges as described in the following sections.
Scale clusters with quick registration
As you scale out your apps, you might need to run your apps on-premises as close to the data as possible. You might also need burstable support for surges through a public cloud. As such hybrid environments become increasingly common, you need a service mesh approach that can scale with your workloads. Gloo Mesh simplifies this process by providing tools to register clusters and create virtual meshes that make sense for your workload architecture.
For more information, see the Register clusters.
Discover multicluster Istio services
A challenging Istio problem is about discovery of cross-cluster communication.
Istio Endpoint Discovery Service (EDS) requires each Istio control plane to have access to the Kubernetes API server of each cluster, as shown in the following figure. Besides the security concerns with this approach, an Istio control plane cannot start if it is not able to contact one of the clusters, which impacts performance.
Gloo Mesh addresses these problems with its server-agent approach, as shown in the following figure. An agent that runs on each cluster watches the local Kubernetes API server and passes the information to the Gloo Mesh management plane through a secured gRPC channel. Gloo Mesh then tells the agents to create the Istio
ServiceEntries that correspond to the workloads that are discovered on the other clusters.
For more information, see Architecture.
Set up traffic failover across clusters and environments
You have a multicluster hybrid environment across different zones and regions. But how do you configure high availability, failover, and traffic routing to the closest, available destination? With Gloo Mesh, you can use API abstractions such as traffic policies and virtual destinations to define how services behave, interact, and receive traffic.
For more information, see the Multicluster guides.
Observe your service mesh traffic across environments
The Gloo Mesh agents in each cluster consolidate key metrics and logs so that you can more easily observe all your service traffic through an interactive UI, as shown in the following example clip.