LLMpediaThe first transparent, open encyclopedia generated by LLMs

Envoy (software proxy)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Kafka (software) Hop 5
Expansion Funnel Raw 63 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted63
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Envoy (software proxy)
NameEnvoy
DeveloperLyft
Released2016
Programming languageC++
LicenseApache License
PlatformLinux, macOS, FreeBSD, Windows

Envoy (software proxy) Envoy is an open-source edge and service proxy originally developed at Lyft and later donated to the Cloud Native Computing Foundation (CNCF). It is designed for cloud-native microservices architectures, providing runtime traffic management, observability, and security for service mesh and edge computing use cases. Envoy serves as a high-performance programmable data plane that integrates with control planes, orchestration systems, and monitoring ecosystems.

Overview

Envoy was introduced by engineers at Lyft to address limitations in legacy reverse proxy and load balancer stacks used at scale. As a project incubated under the Cloud Native Computing Foundation, Envoy competes and interoperates with technologies such as NGINX, HAProxy, Istio, and Linkerd. The project attracted contributions from firms including Google, Amazon Web Services, Microsoft, IBM, and Red Hat, driving adoption in enterprises, startups, and public sector deployments.

Architecture and Components

Envoy's architecture separates the data plane from an optional control plane inspired by patterns used at Google and Facebook. Core components include the listener, filter chain, cluster manager, and upstream host pools; these mirror concepts from NGINX and HAProxy but are implemented for dynamic configuration. Envoy exposes gRPC- and HTTP/REST-based management interfaces compatible with control planes such as Istio, Consul, and Kubernetes-native controllers. The project also defines extension points for custom filters written in C++ or via the Wasm sandbox, enabling integrations with ecosystems like OpenTelemetry, Prometheus, and Zipkin.

Features and Capabilities

Envoy implements advanced features such as HTTP/2 and gRPC proxying, HTTP/3 and QUIC support, TLS termination and mutual TLS, circuit breaking, retries, timeouts, rate limiting, and circuit-aware load balancing algorithms found in systems like Maglev and Ring Hashing. Observability features include distributed tracing headers compatible with OpenTracing and OpenTelemetry, and metrics compatible with Prometheus and StatsD. Envoy provides traffic shadowing, fault injection, and canary deployments similar to practices used at Amazon and Netflix for progressive delivery.

Deployment and Integrations

Envoy is deployed in multiple topologies: as an edge proxy replacing traditional reverse proxy endpoints, as a sidecar proxy in service mesh patterns with platforms like Kubernetes and Nomad, and as a gateway for API management solutions. Integrations exist with control planes such as Istio, Consul Connect, Kong, and Gloo, and orchestration platforms including Kubernetes, Docker Swarm, and Mesos. Cloud providers and vendors—AWS, Azure, Google Cloud Platform, IBM Cloud—offer managed services or integrations that leverage Envoy for traffic management and observability.

Configuration and APIs

Envoy supports static and dynamic configuration via xDS APIs (Listener Discovery Service, Route Discovery Service, Cluster Discovery Service, Endpoint Discovery Service) modeled after gRPC and defined in protocol buffers. Management servers implement xDS to push configuration changes; notable control planes include Istio's Pilot, Contour, and control-plane implementations from Solo.io. Envoy also exposes administrative APIs and statistics endpoints for runtime inspection and hot restart capabilities; these align with observability practices used by projects such as Prometheus and tracing systems like Jaeger.

Performance and Scalability

Design choices in Envoy emphasize low-latency I/O, event-driven processing, and efficient memory use akin to optimizations in NGINX and HAProxy. Benchmarks and production reports from organizations like Lyft and Pinterest highlight Envoy's ability to handle large connection counts and high request rates with predictable tail latency. Horizontal scaling is achieved by deploying multiple Envoy instances per host or pod; advanced load balancing strategies and locality-aware routing reduce cross-zone traffic analogous to techniques used by Google's global load balancers.

Security and Observability

Envoy implements TLS termination, mutual TLS, and certificate management integrations with systems such as cert-manager, SPIFFE, and Vault for secrets management. Security features include RBAC filters, JWT authentication, and integration points for external authorization services similar to OAuth and OpenID Connect providers. Observability is provided via rich metrics, access logs, and distributed tracing headers compatible with OpenTelemetry, Jaeger, and Zipkin, enabling correlation with logs and events in platforms such as Elasticsearch/Kibana and Grafana. The project follows security practices and has a community-driven vulnerability disclosure process aligned with organizations like CNCF.

Category:Proxy servers Category:Cloud Native Computing Foundation projects