Gloo Edge 2.0: A Fully Istio-Integrated API Gateway for Multiple Clusters
Version 2.0 of Solo.io’s Gloo Edge will integrate the Istio service mesh to such an extent that both Gloo Edge, an ingress controller, and the open source Istio service mesh will form a single control plane, Solo.io said this week during its SoloCon 2021 virtual conference, ahead of Gloo Edge 2.0’s beta release, due by the end of June.
As a fully Istio-integrated API gateway, Gloo Edge 2.0 extends its microservices management capabilities across multiple instances of Kubernetes clusters and application connections in such a way that Istio can now thus be configured automatically by Gloo Edge through its API. Among the benefits, organizations do not have to separately add and configure Istio separately for different Kubernetes clusters, as the process is automated with Gloo Mesh.
Lowering Istio’s “intimidation factor” is critical in order for DevOps teams to “start truly benefitting from service mesh,” Torsten Volk, an analyst for Enterprise Management Associates (EMA), said.
“Most organizations have regarded Istio as something to ‘attack once it’s become more approachable and easier to manage,’” Volk said. “These Solo.io announcements might ring in this new age of “service mesh for everyone.”
In a demo talk “Extending Istio and Gloo Mesh with Web Assembly” during SoloCon 2021, Solo.io software engineer Shane O’Donnell described a Gloo Edge 2.0 deployment scenario. Gloo Edge can be used to manage the ingress API as the API gateway that manages the north-south traffic in and out of the cluster. At the same time for the cluster, an Istio control plane can manage the service mesh for the east-west traffic inside the cluster.
“When we look at the feature sets of both Gloo Edge and Isto, we’ll see there’s a lot of overlap here: they both discover services and upstreams to send traffic to and they both configure Envoy proxies,” O’Donnell said. “Where they differ is that Gloo Edge provides some edge features and Istio provides some east-west features but is that really enough to justify having to control planes? We don’t think so.”
Since Gloo Edge and Istio now form a single control plane, Gloo Edge 2.0 thus offers all discovery capabilities, Envoy configuration, edge traffic and east-west traffic in a single control plane, O’Donnell said. “It’s much easier to manage, especially as you start scaling your environments.”
To extend Gloo Edge 2.0’s edge and Isto control plane capabilities, Gloo Mesh allows for the management of multiple clusters for when “we go up to 50 clusters and suddenly there are 50 things to manage.”
“Gloo mesh helps you manage configurations across all of your clusters in a multi-mesh and multi-cluster environment,” O’Donnell said. This is done through the Gloo Edge unified API for configuration at the top of the Gloo Mesh management plane so that the configuration is propagated to the control planes in each cluster.
“Finally, those control planes will translate and apply that configuration to your Envoy proxies, regardless of whether their envoy proxy sidecar is running in Istio in your service mesh, or if they’re an Edge API gateway or an ingress running at the edge of your cluster.”
In a nutshell, Gloo Edge 2.0 now “sits on top of this newly supercharged Istio environment, which itself is sitting on top of Envoy,” O’Donnell said. “So, you’re getting a lot of power from all of those low-level tiers, but you only have to deal with the high-level config that goes into the management plane.”
Security-management features for Gloo Edge 2.0 include:
- Web application firewall (WAF) protection and data loss prevention (DLP).
- Response and request transformation.
- Rate limiting.
- “Out-of-the-box” pluggable external authentication, including OIDC, OPA, active directory or options.
- Support for WebAssembly (WASM) modules.