Envoy
Generated by GPT-5-miniExpansion Funnel Raw 63 → Dedup 0 → NER 0 → Enqueued 0
| Envoy | |
|---|---|
| Name | Envoy |
| Author | Matt Klein |
| Developer | Cloud Native Computing Foundation |
| Initial release | 2016 |
| Written in | C++ |
| License | Apache License 2.0 |
| Website | envoyproxy.io |
Envoy Envoy is an open-source edge and service proxy designed for cloud-native applications, service mesh architectures, and modern microservices. It was created to provide observability, reliability, and advanced traffic management between services in distributed systems and has been widely adopted by companies and projects across the technology industry. Envoy integrates with a range of platforms and tools and operates as a high-performance, programmable data plane component in environments ranging from single-host sidecars to global load-balancing clusters.
Overview
Envoy originated as an internal project at a major technology company to address the needs of complex Google-scale distributed systems and was open-sourced to the community. It joined the Cloud Native Computing Foundation ecosystem and became a foundation for service mesh projects such as Istio, Consul Connect, and Linkerd integrations. Envoy’s design emphasizes observability compatible with systems like Prometheus, Grafana, and Jaeger, and supports protocol-specific integrations with HTTP/2, gRPC, and TLS ecosystems. The project attracts contributors from organizations including Lyft, IBM, Red Hat, AWS, and Microsoft.
Architecture
Envoy implements a modular, layered architecture separating control plane and data plane responsibilities similar to architectures used by Kubernetes-oriented service meshes and ingress controllers such as NGINX and HAProxy. The data plane runs Envoy proxies, often deployed as sidecars in Kubernetes pods or as edge gateways in Amazon Web Services or Google Cloud Platform environments. Envoy’s control plane APIs enable dynamic configuration through xDS APIs and integrate with systems like Istio Control Plane, Consul, and custom management planes. Key architectural components include listener filters, network filters, cluster management, and connection pools, working together with runtime and statistics backends used by Prometheus and OpenTelemetry collectors.
Features and Components
Envoy provides features for advanced traffic control including load balancing strategies (round-robin, least-request, ring hash), health checking, circuit breaking, retry and timeout policies, and observability hooks used by Zipkin and Jaeger. Core components include listeners, clusters, routes, and filters; listeners accept inbound connections, clusters define upstream endpoints often registered by Service Discovery systems like Consul or Eureka, routes map requests to clusters, and filters perform protocol-specific processing such as HTTP routing, TCP tunneling, and WebSocket handling. Envoy supports extension mechanisms via filters and Lua or WebAssembly (Wasm) plugins, enabling integration with identity systems such as SPIFFE and SPIRE, authentication platforms like OAuth 2.0 providers, and certificate management services like HashiCorp Vault.
Deployment and Use Cases
Envoy is deployed in varied topologies: as sidecar proxies in Kubernetes service meshes, as edge proxies handling ingress traffic for Istio and Ambassador API Gateway, as standalone reverse proxies in VMware or bare-metal datacenters, and as global proxies for multi-region traffic management with providers such as Cloudflare and Akamai. Typical use cases include API gateway functionality for platforms built on Spring Boot or Node.js, traffic shaping and canary deployments for continuous delivery pipelines integrated with Jenkins or Spinnaker, and observability for legacy Monolith to microservices migrations monitored with Datadog or New Relic.
Performance and Scalability
Envoy emphasizes low-latency, high-throughput proxying using an event-driven, non-blocking model inspired by architectures in projects like Nginx and HAProxy. It uses connection pooling, HTTP/2 multiplexing, and efficient memory-handling strategies in C++ to scale to large numbers of concurrent connections typical in platforms operated by Netflix and Facebook. Dynamic configuration via xDS allows large fleets to update routing and cluster membership without restarts, which supports rolling upgrades in orchestration systems such as Kubernetes and Nomad. Benchmarking and capacity planning frequently involve load generators and observability stacks like wrk, Fortio, and Prometheus to validate throughput and tail-latency targets under production workloads.
Security
Envoy provides TLS termination, mutual TLS (mTLS) support, certificate rotation, and role-based access controls when integrated with control planes such as Istio and identity systems like SPIFFE. The proxy enforces authentication and authorization policies through HTTP filters and integrates with external policy engines like Open Policy Agent and LDAP-backed identity stores. Envoy’s observability features aid in incident response workflows used by teams running on PagerDuty and Splunk, while its binary and configuration releases adhere to secure development practices promoted by organizations including CNCF and OWASP.
Development and Community
Envoy is developed by a community of engineers from companies such as Lyft, Google, Amazon, Microsoft, IBM, and Red Hat, and is governed under the auspices of the Cloud Native Computing Foundation. The project accepts contributions via platforms like GitHub and maintains active SIGs and working groups collaborating on features such as Wasm filters, xDS protocol enhancements, and improved observability integrations with OpenTelemetry. Ecosystem projects include management servers, SDKs, and control plane implementations maintained by Tetrate, Solo.io, and HashiCorp, and educational resources are available through vendor documentation, community meetups, and conferences like KubeCon and CloudNativeCon.
Category:Proxies Category:Cloud Native Computing Foundation projects