Solo Enterprise for Istio management plane
Review what additional benefits you can get when running an ambient mesh with the Solo Enterprise for Istio management plane.
Lifecycle management
Solo Enterprise for Istio provides several features to simplify, automate, and manage the lifecycle of your Istio installation.
Istio installation
Solo Enterprise for Istio supports full service mesh lifecycle management with the Gloo Operator. By using the Gloo Operator to manage your service meshes, you no longer need to manually install and manage the istiod control plane. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into a managed istiod control plane in your cluster for you. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.
- To get started, see the Gloo Operator installation guides for ambient or sidecar service meshes.
- If you prefer to manually manage your Istio service meshes instead, see the guides to manually deploy ambient or sidecar service meshes.
Automated multicluster peering (beta)
Automated multicluster peering is a beta feature. Do not use this feature in production deployments. For more information, see Solo feature maturity.
Multicluster mesh capabilities require an Enterprise level license for Solo Enterprise for Istio. If you do not have one, contact an account representative.Automated peering requires Istio to be installed in the same cluster that the Gloo management plane is deployed to.
In multicluster setups, you can configure Solo Enterprise for Istio to automate multicluster mesh peering by including the --set featureGates.ConfigDistribution=true setting in your management plane installation. Then, you use the istioctl multicluster expose command included in the Solo distribution of Istio to quickly create east-west gateways. The Gloo management plane watches for these east-west gateways, and generates one istio-remote resource in the management cluster for each connected workload cluster. Solo Enterprise for Istio then distributes the gateway to each cluster respectively. These gateways use the istio-remote GatewayClass, which allows the istiod control plane in each cluster to discover the east-west gateway addresses of other clusters.
Note that because the istio-remote resource requirement for automated peering is lightweight, scaling automated peering up to multiple clusters has little impact on performance. When you add a cluster to the multicluster setup, Solo Enterprise for Istio must only distribute one additional istio-remote resource to each existing cluster, and distribute the existing istio-remote resources to the new cluster.
To get started, follow the Gloo Operator guides to install an ambient or sidecar multicluster mesh.
Observability and insights
Get instant access to L4 and L7 metrics for ambient workloads and visualize them with the Gloo UI. Metrics are automatically collected by the ztunnels and waypoint proxies, and are scraped by the built-in Prometheus server. You can run PromQL queries in Prometheus to analyze the metrics and monitor the traffic in your ambient mesh. For more information, see Explore the UI.
In addition, Solo Enterprise for Istio comes with an insights engine that automatically analyzes your Istio setups for health issues. These issues are displayed in the UI along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For more information, see Insights.
Image and CNI support
Solo Enterprise for Istio supports Istio service meshes that run either community Istio images or Solo distributions of Istio. The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. The image support timeline is longer than the community Istio support timeline, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. For more about the added benefits of Solo distributions of Istio and to review the available image distributions, see Solo distributions of Istio.
Besides that, you can run Solo Enterprise for Istio in ambient mode on any CNI, such as Cilium, Calico, or cloud provider-specific CNIs.
Supported service mesh modes
Solo Enterprise for Istio supports Istio service meshes that run either in ambient or sidecar mode. Review the following table to help you choose your Istio mode.
| Istio mode | Maturity | Lifecycle options | Solo distributions of Istio? | Feature highlights |
|---|---|---|---|---|
| Ambient | Production | Gloo-managed, manual | Yes (required) | Simplify your service mesh with a sidecarless approach. You get quicker onboarding, easier app lifecycle ops, and simpler network traffic with Layer 4 along with Layer 7. For more information, see About ambient mesh. |
| Sidecar | Production | Gloo-managed, manual | Yes | Deploy your service mesh with the standard sidecar approach. Although this approach is more resource-intensive, you get more observability data because all network traffic stays on Layer 7. To get started, see Deploy sidecar service meshes. |
Next
Ready to move to an ambient mesh? Check out the following guides and resources to get started.
- Quickly install a demo deployment of an ambient mesh with the Gloo Operator.
- If you want to plan a migration from your existing sidecar mesh to an ambient mesh, review the ambient migration guide. This guide uses the Solo.io ambient migration tool to provide a prescriptive migration path based on your existing environment.
- Check out the free Ambient Estimator Tool, which assesses your Istio environment to estimate potential cost savings from migrating from sidecars to a sidecarless mesh architecture.