As you build your Gloo Mesh environment, you might want to add a workload that runs on an external machine to your setup. For example, you might run an app or service in a VM that must communicate with services in the Istio service mesh that runs in your Kubernetes cluster.

To onboard your external workload into the service mesh, you deploy three agents to your VM: an Istio sidecar agent, a SPIRE agent, and an OpenTelemetry (OTel) collector agent.


By adding an Istio sidecar agent to your VM, you can achieve fully bi-directional communication between apps in your cluster’s service mesh, and apps in the VM. Because all communication between services in the workload cluster and services in the VM goes through the workload cluster’s east-west gateway, the communication is mTLS-secured. Additionally, you get the added benefit of applying Gloo resources to the apps on your VM, such as Gloo traffic policies.

Gloo agent

To securely attest the identity of the external machine and collect metrics, you deploy a Gloo agent.

To onboard the external workload into your Gloo setup, the Gloo agent must authenticate and verify itself when it first connects to the workload cluster, which is known as node attestation. During node attestation, the Gloo agent on the VM and the Gloo components on the workload cluster together verify the identity of the node that the agent is deployed to. This process ensures that the workload cluster and your VM can securely connect to each other.

The Gloo agent also sends metrics through the workload cluster’s east-west gateway to the OTel gateway on the management cluster. By enabling the agent to gather metadata about the compute instances that they are deployed to, you can visualize your Gloo Mesh setup across your cloud provider infrastructure network. For more information about metrics collection in Gloo, see Set up the Gloo OTel pipeline.

Supported platforms

As of Gloo Mesh Enterprise version 2.5.0, this feature is tested for onboarding on-premises instances, and virtual and bare metal machines that run in Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure.