Gloo Mesh deploys alongside your Istio environment in single or multicluster environments, and can discover existing Istio installations across clusters and infrastructure providers. The Gloo Mesh management plane provides visibility into your Istio environment in one or multiple clusters, such as built-in advanced observability tools, and a Gloo UI that gives you an at-a-glance view of the configuration, health, and compliance status of your Gloo Mesh setup and the workloads in your cluster. Gloo Mesh also comes with an insights engine that automatically analyzes your Istio setup for health, security, and resiliency issues. Then, Gloo shares these issues along with recommendations to harden your Istio and setup in a custom dashboard. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For more information about these components, see Architecture.

Gloo Mesh works with community Istio out of the box, but Gloo Mesh includes more than tooling to complement an existing Istio installation. You can also replace community Istio with Solo’s hardened Istio images. The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. For more information, see Solo distributions of Istio.

Enterprise support

When you use the Solo distribution of Istio to deploy ambient or sidecar service meshes, you can also provide your Gloo Mesh license.

The Solo distribution of Istio includes standard built-in features by default, and numerous other features that you can unlock with two levels of Solo licenses. When you provide your license in your Istio installation values, your Istio installation is automatically enabled with the features provided by your license.

  • Standard features are included by default in the Solo distribution of Istio version 1.25 and later. If you provide a -solo tagged Istio version in your Istio installation values, your Istio installation is enabled with these standard features.
  • Premium features are unlocked with a Premium license (sometimes called a Gloo Mesh license). In addition to all Standard features, a Premium license unlocks better environment visibility and analysis with the Gloo Mesh management plane, and increased Solo support.
  • Enterprise features are unlocked with an Enterprise license (sometimes called a Gloo Mesh Enterprise license). In addition to all Standard and Premium features, a Premium license unlocks the most comprehensive enterprise-level features to help you build out your ideal, customized mesh setup.

If you do not already have a Premium or Enterprise license for Gloo Mesh, you can contact an account representative to obtain one. Note that if you also install the Gloo Mesh management plane for better visibility and insights into your environment, you specify your same license in your Gloo Mesh installation too.

Review the following features and the levels that each feature is supported in. Note that these lists provide a general overview of major features, and are not exhaustive.

FeatureEnterprisePremiumStandard
Actionable insights and continuous
monitoring of Istio configuration
Ambient dynamic forward proxy
Egress gateway
FIPS (140-2) compliance✅ *
Federated role-based
access control and delegation
Gloo Gateway as ingress
or egress gateway		✅ †✅ †✅ †
Gloo Gateway east-west traffic
policy support
Peer identity lookup🟡🟡
SPIFFE support
SPIRE support🟡🟡
Safe handling of signing
and root certificate rotation
Secrets integration with
Kubernetes and Hashicorp Vault
Secure configuration model
for cluster relay
TLS/mTLS encryption
Vulnerability scanning and publications
FeatureEnterprisePremiumStandard
Multicluster dynamic routing🟡🟡
Multicluster support at scale
Seamless updates
Published SLAs
Simple global service naming
FeatureEnterprisePremiumStandard
Admin dashboard UI
with multicluster views
Distributed tracing with Jaeger
Global service discovery
Multi-mesh support🟡🟡
Multi-version compatibility
Multicluster observability
including Prometheus and Grafana
Node-based L7 monitoring
Waypoint EnvoyFilter support
FeatureEnterprisePremiumStandard
GitOps integration
Global service routing
Your choice of cloud
and on-premises environments
FeatureEnterprisePremiumStandard
Gloo Gateway as a waypoint✅ †
Hybrid and multi-cloud support
Kubernetes Gateway API support
in ambient mesh
Kubernetes-native
Upstream Envoy proxy
(managed by Istio)
Upstream Istio
kgateway as a waypoint
FeatureEnterprisePremiumStandard
Architecture and design support
Enhanced SLA **
Gloo management plane
Health checks
Long-term support*
Private Slack channel
Zendesk and standard support*
90-day white glove onboarding

✅ Supported
🟡 Limited support
❌ Unsupported
* Additional fees apply
† Multicluster mesh support requires an Enteprise level license for both Gloo Gateway and Gloo Mesh.

Lifecycle management

As a service mesh, Istio solves connectivity challenges that arise with microservice architectures. Many microservices can mean many ingress and egress points. In regulated and secured environments, you might need many ingress and egress gateways. Even further, microservices split not only into many apps, but often in many clusters, requiring complex multicluster configurations too.

Gloo Mesh simplifies lifecycle management activities with three automation systems: Istio installation and upgrades, waypoint deployment, and multicluster peering (beta).

Istio installation

Gloo Mesh supports full service mesh lifecycle management with the Gloo Operator. With Gloo Operator, you no longer need to manually install and manage the istiod control plane, Istio CNI, ztunnels, and more. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into managed installations of all necessary Istio components in your cluster for you. The operator can even detect your cluster platform, and set the appropriate fields required for that platform. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.

To get started, see the Gloo Operator installation guides for ambient or sidecar service meshes.

Waypoint deployment

If you deploy an ambient mesh and require waypoint proxies to apply Layer 7 policies, you can use versions 1.25 and later of the Solo distribution of Istio to automate the waypoint deployment. Instead of manually creating a waypoint proxy resource, and then labeling a namespace, service, or service entry to use that waypoint, you can simply label the namespace, service, or service entry with istio.io/usewaypoint=auto. Istiod automatically creates the appropriate waypoint and applies it to your target resource.

Note that this automation currently only creates waypoints with the istio-waypoint Gateway class. For more information, see About waypoints.

Note that this automation currently only creates waypoints with the istio-waypoint Gateway class. For more information, see About waypoints.

Multicluster peering (beta)

In multicluster setups, you can configure Gloo Mesh to automate multicluster mesh peering by including the --set featureGates.ConfigDistribution=true setting in your management plane installation. Then, you use the istioctl multicluster expose command included in the Solo distribution of Istio to quickly create east-west gateways. The Gloo Mesh management plane watches for these east-west gateways, and generates one istio-remote resource in the management cluster for each connected workload cluster. Gloo Mesh then distributes the gateway to each cluster respectively. These gateways use the istio-remote GatewayClass, which allows the istiod control plane in each cluster to discover the east-west gateway addresses of other clusters.

To get started, follow the Gloo Operator guides to install an ambient or sidecar multicluster mesh.

Operational observability

Gloo Mesh uses the OpenTelemetry (OTel) project to collect telemetry data from many sources in your clusters. Some of these sources, such as Grafana and Prometheus, are built in to monitor your Gloo environment and the apps in your cluster. You might have other existing sources, too. With OTel, you can set up pipelines for these sources as needed, so that you have all your telemetry data in a single place.

The Gloo UI shows these observability details in a single pane of glass, as shown in the following figure. For more information, see Telemetry.

Figure: Operational dashboard
Figure: Operational dashboard
Figure: Operational dashboard
Figure: Operational dashboard

Insights

Gloo Mesh comes with an insights engine that automatically analyzes your Istio setups for health issues. These issues are displayed in the UI along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For example, insights can help you identify:

  • Sidecars that are orphaned from istiod but otherwise reflect a healthy, running status
  • Istio CRDs that are missing
  • Gateways or virtual services that are not scoped, which can lead to unpredictable routing behavior
  • Opportunities to trim the Envoy proxy config to reduce overload
  • Opportunities to tune istiod performance such as to improve push times and decrease throttling
  • Annotations that bypass sidecars or iptable rules
  • Non-ordered containers that cause race conditions with sidecars
  • Better egress controls

In the following figure, an example insight warns that an AuthorizationPolicy is not enforced. For more information, see Insights.

Figure: Example insight
Figure: Example insight