Skip to content

Envoy Proxy — Complete Modern Service Mesh Guide

DodaTech Updated 2026-06-28 2 min read

In this tutorial, you will learn about Envoy Proxy. We cover key concepts, practical examples, and best practices to help you master this topic.

Envoy Proxy is a high-performance, open-source edge and service proxy designed for cloud-native applications. It is the data plane for popular service meshes like Istio and Consul Connect.

What You'll Learn

You'll learn Envoy's architecture, configuration, and how it differs from traditional API gateways.

Why It Matters

Envoy powers the world's largest service meshes at Google, Lyft, Netflix, and Airbnb. Its advanced features include HTTP/2, gRPC, Websocket, distributed tracing, and hot reload.

Real-World Use

A large microservice deployment uses Istio with Envoy sidecars. Every service instance has an Envoy proxy that handles traffic routing, retries, circuit breaking, and telemetry without code changes to the services.

Implementation

# Envoy configuration (envoy.yaml)
static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 80
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: backend
                      domains:
                        - "*"
                      routes:
                        - match:
                            prefix: "/api/users"
                          route:
                            cluster: user_service
                        - match:
                            prefix: "/api/orders"
                          route:
                            cluster: order_service
                http_filters:
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

  clusters:
    - name: user_service
      type: STRICT_DNS
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: user_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: user-service
                      port_value: 3000
    - name: order_service
      type: STRICT_DNS
      lb_policy: LEAST_REQUEST
      load_assignment:
        cluster_name: order_service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: order-service
                      port_value: 3001

Envoy vs Traditional Gateways

Feature Envoy Traditional (NGINX/Kong)
Configuration Dynamic via xDS API Static files
Protocol support HTTP/1.1, HTTP/2, gRPC, WebSocket, TCP HTTP/1.1, HTTP/2, WebSocket
Service mesh Designed for sidecar deployment Edge proxy primarily
Extensibility WASM, Lua filters Plugins (Lua for Kong)
Observability Built-in tracing, stats, logging Plugin-based

Common Mistakes

| Mistake | Fix | |---------|-----| | No resource limits | Envoy sidecars consume memory per connection | Set per-connection buffer limits | | Using Envoy without service mesh | Overkill for simple gateway use cases | Use NGINX or Kong for basic gateway needs | | Not configuring circuit breakers | Cascading failures | Set circuit breaker thresholds per cluster | | Ignoring access logs | No visibility into traffic | Enable JSON access logs | | No health checking | Traffic to unhealthy endpoints | Configure active health checks |

What's Next

Learn about WebSocket support in API gateways.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro