Achieve Compliance, Zero Trust with Istio Ambient Mesh


Envoy Proxy: Fundamentals and Deep Dive of the Cloud-Native Proxy

August 10, 2020

Envoy Proxy is an open source edge and service proxy (L4/L7), designed for cloud-native applications. Developed internally at Lyft and later open sourced and donated to the Cloud Native Computing Foundation, Envoy is a high performance proxy and data plane for modern edge/API gateways and service meshes. Envoy is similar to proxies like NGINX and HAProxy, but created out of the need to handle service communication for distributed environments.

This article contains a video series to demonstrate the functionality of Envoy and provide links to more resources

Definitions of key terms related to Envoy:

  • Proxy – A server that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. As a proxy, Envoy abstracts the network from the business logic and runs alongside every application to facilitate and shape application traffic, provide observability, tune performance, and provide a common set of features to the environment. The proxy can be run at the edge to facilitate traffic into the cluster (ingress/edge) or as a sidecar to each application in a service mesh.
  • Edge/API Gateway – A system to that receives API requests, performs traffic routing and management to the backend services and returns a response to the client / end user requester. Envoy is the data plane for Edge/API gateways where any number of proxies can be deployed at the edge to facilitate the traffic coming into the cluster from external clients and end users. A control plane is required to manage and enforce configuration of the proxies and capture metrics back for observability.
  • Service Mesh – Is a technology where an Envoy proxy is deployed as a sidecar proxy alongside each application service in a cluster. This is often referred to as east/west traffic. In a service mesh, the networking code is abstracted away from the application code and handled in the mesh of proxies. A control plane is required to manage the proxy configuration and traffic policies.


Video series of demos

This educational video series uses live demonstrations of example scenarios to explain the architecture and functionality of Envoy Proxy, through the following episodes:

  • Envoy Architectural Overview and Fundamentals
  • Observing Envoy: Monitoring Metrics and Logs, Proxy Performance, and Troubleshooting
  • Securing Envoy: Understanding Available Security Configurations and Best Practices
  • xDS Dynamic Configuration and Control Plane Interactions with Envoy Proxy Data Plane
  • Envoy Filters: What are They and How They Work, Understanding the Filter Chain, and Lots of Examples
  • Advanced Envoy Filtering and Build Your Own Filters with WebAssembly


Architectural Overview and Fundamentals
This video covers the core concepts of Envoy including Listener, Cluster, Endpoint/Cluster member/cluster Load Assignment, Routes, Filters, and an overview of how they work in the data flow and routing decisions. Example configurations for the demos are here.


This video covers the various types of data (metrics, logs) available from Envoy to understand the state of the proxies, how to configure Envoy to expose the data, how to use this data to debug issues, and how to performance tune the environment. Learn more about Envoy observability, here.


Understand the security functionality available in Envoy, how to configure them, and best practices. Learn more about the security architecture in the Envoy docs and download this white paper on how uses Envoy to enable zero trust networks for your applications.


xDS Dynamic Configuration
In this episode we explain the Envoy xDS API, how that allows for dynamic configuration of the data plane and its respective interaction with the control plane. Visit the Envoy docs to learn more about xDS.


Envoy Filter Basics
Customizing the behavior of Envoy Proxy is done with filters and there are a number of filters available out of the box. This episode will cover how filters work to customize the behavior of the proxy, the filter chain that a request will pass through and how the control plane configures and manages them.


Advanced Filters Building with WebAssembly
Building custom filters is also an option for further extending Envoy beyond the functionality already available upstream. Recently, an effort was started to integrate support for WebAssembly in Envoy which will allow developers to write custom filters in any language in addition to Envoy’s native C++.  This episode covers to build custom filters with WebAssembly and tools available for the developer to ops workflow including wasme CLI and WebAssembly Hub.


Questions? Start a discussion on slack or request a meeting. Subscribe to our Youtube channel to get the latest videos.

More Resources

Get more information about Envoy Proxy project, solutions built using Envoy, and more.