Envoy Proxy — Complete Modern Service Mesh Guide
In this tutorial, you will learn about Envoy Proxy. We cover key concepts, practical examples, and best practices to help you master this topic.
Envoy Proxy is a high-performance, open-source edge and service proxy designed for cloud-native applications. It is the data plane for popular service meshes like Istio and Consul Connect.
What You'll Learn
You'll learn Envoy's architecture, configuration, and how it differs from traditional API gateways.
Why It Matters
Envoy powers the world's largest service meshes at Google, Lyft, Netflix, and Airbnb. Its advanced features include HTTP/2, gRPC, Websocket, distributed tracing, and hot reload.
Real-World Use
A large microservice deployment uses Istio with Envoy sidecars. Every service instance has an Envoy proxy that handles traffic routing, retries, circuit breaking, and telemetry without code changes to the services.
Implementation
# Envoy configuration (envoy.yaml)
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/api/users"
route:
cluster: user_service
- match:
prefix: "/api/orders"
route:
cluster: order_service
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: user_service
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: user_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: user-service
port_value: 3000
- name: order_service
type: STRICT_DNS
lb_policy: LEAST_REQUEST
load_assignment:
cluster_name: order_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: order-service
port_value: 3001
Envoy vs Traditional Gateways
| Feature | Envoy | Traditional (NGINX/Kong) |
|---|---|---|
| Configuration | Dynamic via xDS API | Static files |
| Protocol support | HTTP/1.1, HTTP/2, gRPC, WebSocket, TCP | HTTP/1.1, HTTP/2, WebSocket |
| Service mesh | Designed for sidecar deployment | Edge proxy primarily |
| Extensibility | WASM, Lua filters | Plugins (Lua for Kong) |
| Observability | Built-in tracing, stats, logging | Plugin-based |
Common Mistakes
| Mistake | Fix | |---------|-----| | No resource limits | Envoy sidecars consume memory per connection | Set per-connection buffer limits | | Using Envoy without service mesh | Overkill for simple gateway use cases | Use NGINX or Kong for basic gateway needs | | Not configuring circuit breakers | Cascading failures | Set circuit breaker thresholds per cluster | | Ignoring access logs | No visibility into traffic | Enable JSON access logs | | No health checking | Traffic to unhealthy endpoints | Configure active health checks |
What's Next
Learn about WebSocket support in API gateways.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro