• Set up Gloo Mesh
      • Deploy sample apps
      • Set up routing for sample apps
      • Apply a policy and explore the UI
      • Tutorial: Federate clusters and isolate workloads for multitenancy
      • Set up Gloo Mesh
      • Deploy sample apps
      • Apply a policy and explore the UI
      • Overview and benefits
        • Component architecture
        • Networking architecture
        • Relay architecture
      • API concepts
        • Apply policies
        • Import and export policies
        • Supported policies in Gloo Mesh Enterprise
      • Personas
      • Resource validation
      • What is a service mesh?
      • What is Istio?
      • Install the meshctl CLI
      • Licensing
      • System requirements
      • Installation options
      • Install with Helm
      • Install with Argo CD
      • Install in air-gapped environments
      • Verify Helm charts
      • Best practices for production
        • About Redis
        • Built-in Redis
        • Local Redis
        • External Redis
          • Istio CA overview
            • Setup options
            • Certificate rotation overview
            • Manage the entire Istio CA lifecycle
            • Manage Istio intermediate CAs
            • Integrate with Vault
            • AWS
          • Setup options
          • Certificate rotation overview
          • Insecure setup
            • Self-signed server certificate
            • BYO server certificate
            • Self-signed server certificate with managed client certificates
            • BYO server certificate with managed client certificate
              • OpenSSL
              • AWS
              • Vault
      • Control user access to Gloo resources
        • About onboarding external workloads
        • AWS instances
        • Azure instances
        • GCP instances
        • On-prem instances
      • FIPS images
      • High availability and disaster recovery
        • Set up multitenancy with workspaces
          • Overview
          • Workspace configuration
          • Import and export resources across workspaces
          • Workspaces as service discovery boundaries
          • Persona-driven workspace setup
    • Upgrade
    • Uninstall
    • Service mesh options
      • Overview
      • Supported Solo distributions of Istio
      • Install Gloo-managed service meshes
      • Migrate to Gloo-managed service meshes
      • Upgrade Gloo-managed service meshes
      • Best practices for Istio in prod
      • Install Istio service meshes with Helm
      • Upgrade Istio service meshes with Helm
    • Install Istio with EKS add-on
    • Install Istio with AKS Extension
    • Add apps to the service mesh
    • Route across clusters with east-west gateways
    • Expose apps with an ingress gateway
    • Upgrade with the Istio lifecycle manager (legacy)
      • Routing overview
      • Intra-mesh routing
      • Multicluster routing
      • Routing to external services
      • Federated services
        • Route table delegation
        • Route label inheritance
        • Route matcher inheritance
        • Route policy attachment
        • Route table failure modes
      • URI path matching
      • Header matching
      • Query parameter matching
      • HTTP method matching
      • Route within or across clusters
        • Route to an external service directly
        • Create internal DNS entries for external endpoints
        • Block egress traffic with an egress gateway
      • Additional route settings
    • Direct response
    • Redirects and rewrites
    • Route delegation
    • Header manipulation
    • Load balancing and consistent hashing
    • Mirroring
    • Transformation
      • Security overview
      • Gloo components
      • Service mesh traffic
      • User access
      • Applications
      • Underlying infrastructure
    • Access policy
    • CORS
      • About
      • External auth server setup
      • Basic external auth policy
      • API keys
      • LDAP
        • About
        • OPA with Rego rules in config maps
        • OPA server as a sidecar
        • Bring your own OPA server
        • API key and OPA
      • About
      • JWT for destinations
      • JWT for mesh routes
      • Multiple JWT providers
      • JWT claim- and scope-based auth
      • About
      • Rate limit server setup
      • Basic rate limit policy
      • Multicluster rate limit
      • More rate limit policy examples
    • Adaptive request concurrency
    • Connection pool settings for HTTP
    • Failover
    • Fault injection
    • Outlier detection
    • Retry and timeout
    • TCP connection
      • About
      • Trim proxy config policy
      • Trim proxy in workspace settings
    • About the telemetry pipeline
      • Overview
        • Overview
        • Explore the UI with insights
        • Configure the UI for HTTPS
        • Connect the Gloo UI to OpenShift Prometheus
          • Overview
          • External auth with Google
          • External auth with Dex
          • External auth with Okta
          • OIDC settings in Helm
          • RBAC for resources in the UI
      • Istio insights
        • Overview
        • Sample PromQL queries
        • Metrics
        • Alerts
        • Customization options
        • Overview
        • Set up and access Grafana
        • Import the operations dashboard
        • Import the OPA dashboard
      • Jaeger
      • Istio access logs
      • Add Istio insights
      • Add Istio request traces
      • Collect compute instance metadata
      • Forward metrics to Datadog
      • Forward metrics to OpenShift
      • Enable logs
      • Gloo Mesh Enterprise versions
      • Open Source attribution
      • Feature gates
      • Release notes
      • Gloo Mesh Enterprise changelog
      • Solo distribution of Istio changelog
      • Overview
      • AccessLogPolicy
      • AccessPolicy
      • ActiveHealthCheckPolicy
      • AdaptiveRequestConcurrencyPolicy
      • ApiDoc
      • ApiSchemaDiscovery
      • ApprovalState
      • AuthConfig
      • CaOptions
      • Clientmode
      • ClientTlsPolicy
      • CloudProvider
      • CloudProviderOptions
      • CloudResources
      • Condition
      • ConnectionPolicy
      • Core
      • CorsPolicy
      • CsrfPolicy
      • Dashboard
      • DlpPolicy
      • EnforcementLayers
      • ExtAuthPolicy
      • ExtAuthServer
      • ExternalEndpoint
      • ExternalService
      • ExternalWorkload
      • FailoverPolicy
      • FaultInjectionPolicy
      • GatewayLifecycleManager
      • HeaderManipulation
      • HttpBufferPolicy
      • HttpMatchers
      • InsightsConfig
      • InternalAdmin
      • IstioHelm
      • IstioLifecycleManager
      • IstioOperator
      • JwtPolicy
      • K8SReports
      • Keepalive
      • KubernetesCluster
      • ListenerConnectionPolicy
      • LoadBalancerPolicy
      • Locality
      • MirrorPolicy
      • OutlierDetectionPolicy
      • Phase
      • Port
      • Portal
      • PortalGroup
      • PortalMetadata
      • ProxyProtocolPolicy
      • Ratelimit
      • RatelimitClientConfig
      • RatelimitPolicy
      • RatelimitServerConfig
      • RatelimitServerSettings
      • Ref
      • References
      • RetryTimeoutPolicy
      • RootTrustPolicy
      • RouteTable
      • Selectors
      • SoloKit
      • Status
      • StringMatch
      • TcpMatchers
      • TlsMatchers
      • TransformationPolicy
      • TrimProxyConfigPolicy
      • VaultCa
      • VirtualDestination
      • VirtualGateway
      • WafPolicy
      • Workspace
      • WorkspaceSettings
      • Helm chart overview
      • Gloo Platform
      • Gloo Platform CRDs
      • meshctl
      • meshctl check
      • meshctl check server
      • meshctl cluster
      • meshctl cluster deregister
      • meshctl cluster list
      • meshctl cluster register
      • meshctl dashboard
      • meshctl debug
      • meshctl debug report
      • meshctl experimental
      • meshctl experimental check-impact
      • meshctl experimental dump-reports
      • meshctl experimental interop-check
      • meshctl experimental switch-active
      • meshctl experimental validate
      • meshctl experimental validate resources
      • meshctl experimental validate resources clean
      • meshctl external-workload
      • meshctl external-workload bug-report
      • meshctl external-workload generate-token
      • meshctl external-workload install
      • meshctl external-workload onboard
      • meshctl external-workload uninstall
      • meshctl generate
      • meshctl generate graphql
      • meshctl generate graphql grpc
      • meshctl install
      • meshctl license
      • meshctl license check
      • meshctl logs
      • meshctl migrate
      • meshctl migrate helm
      • meshctl migrate helm-values
      • meshctl precheck
      • meshctl proxy
      • meshctl uninstall
      • meshctl version
      • CVE lifecycle handling
      • Security and CVE scan results
    • Gloo Mesh scalability
    • Gloo component permissions
    • General debugging
      • Management server and relay connection
      • Add-ons
      • Agent
      • Custom resources
      • Observability pipeline
      • Policies
      • Redis
      • Routes
      • UI graph
      • ELB health checks in AWS fail
      • Istio gateway installation times out
      • Istio
      • Istio and gateway lifecycle manager
      • Knative
      • Bookinfo apps pending
      • Ephemeral containers
    • About Solo Support
    • Submit a request
    • Add support information
  • open_in_new Gloo Mesh Gateway
    • main
    • 2.7 (latest)
    • 2.6
    • 2.5
    • 2.4
    • GitHub
    • Twitter / X
  • to navigate
  • to select
  • to close
    • Home
    • About
    • Home
    • Architecture
    On this page

    These docs use Gloo Mesh Enterprise APIs to manage your sidecar service mesh. To manage your service mesh with the Kubernetes Gateway API instead, see the Gloo Mesh docs.

    Architecture

    article

    Component architecture

    Learn more about the Gloo components that you install to manage your environment.

    article

    Networking architecture

    article

    Relay architecture

    Review the Gloo relay server and agent architecture.

    Solo.io copyright 2025