liminfo

Envoy Proxy Reference

Free reference guide: Envoy Proxy Reference

29 results

About Envoy Proxy Reference

The Envoy Proxy Reference is a searchable cheat sheet covering the core configuration concepts of Envoy, the high-performance L7 proxy used in modern microservice architectures. It covers listeners (TLS termination, LDS), clusters (load balancing policies, health checks, circuit breakers, outlier detection), routes (path/header matching, weighted routing, retry policies), HTTP filters (connection manager, CORS, JWT auth, Lua, ext_authz, rate limiting), service mesh integration with Istio (sidecar proxy, mTLS, VirtualService, DestinationRule), and configuration management (static, xDS dynamic, access logging, admin interface).

Built for DevOps engineers, platform engineers, SREs, and backend developers working with Kubernetes, Istio, or standalone Envoy deployments, this reference provides ready-to-use YAML configuration snippets organized into six categories. Each entry includes complete, copy-pastable configuration examples.

All content is rendered locally in your browser with no server-side processing. The interface supports dark mode and works seamlessly on desktop, tablet, and mobile devices.

Key Features

  • Listener configuration reference with TLS termination, listener filters, multiple ports, and LDS dynamic discovery
  • Cluster reference covering ROUND_ROBIN/LEAST_REQUEST load balancing, health checks, circuit breakers, and outlier detection
  • Route configuration with prefix/path/regex matching, header-based routing, weighted traffic splitting, and retry policies
  • HTTP filter reference for connection manager, CORS, JWT authentication, Lua scripting, external authorization, and rate limiting
  • Istio service mesh integration with sidecar proxy, mTLS PeerAuthentication, VirtualService, and DestinationRule examples
  • Static and dynamic (xDS) configuration management with access logging and admin interface endpoint reference
  • Complete YAML configuration snippets ready to copy and adapt for production deployments
  • Six organized categories: Listener, Cluster, Route, Filter, Service Mesh, and Configuration

Frequently Asked Questions

What is Envoy Proxy and why is it used?

Envoy is a high-performance, open-source L7 proxy designed for cloud-native applications. It provides advanced load balancing, service discovery, TLS termination, HTTP/2 and gRPC support, circuit breaking, health checking, and observability. Envoy is the default data-plane proxy in Istio service mesh and is widely used in Kubernetes environments for traffic management, security, and observability.

How do Envoy listeners and clusters work together?

Listeners accept incoming network connections on specified addresses and ports, then apply filter chains to process traffic. The HTTP connection manager filter routes requests to clusters based on route configuration rules. Clusters define upstream service endpoints with load balancing policies, health checks, and circuit breakers. Together, they form the request flow: listener receives traffic, filters process it, routes match it, and clusters forward it to backend services.

What load balancing policies does Envoy support?

Envoy supports ROUND_ROBIN (default, equal distribution), LEAST_REQUEST (routes to the endpoint with fewest active requests), RING_HASH (consistent hashing for session affinity), RANDOM (random endpoint selection), and MAGLEV (consistent hashing with better distribution). Each policy can be configured per cluster, and LEAST_REQUEST supports a configurable choice_count for the power-of-two-choices algorithm.

How does circuit breaking work in Envoy?

Envoy circuit breakers protect upstream services from being overwhelmed. You can configure thresholds per priority level: max_connections (limits concurrent TCP connections), max_pending_requests (limits queued requests), max_requests (limits concurrent HTTP requests), and max_retries (limits concurrent retry attempts). When a threshold is exceeded, Envoy short-circuits the request and returns an error, allowing the upstream service to recover.

How do I configure Envoy with Istio for mTLS?

In Istio, enable mTLS by creating a PeerAuthentication resource. Set mode to STRICT for enforced mTLS (all traffic must be encrypted), PERMISSIVE to accept both plaintext and mTLS (useful during migration), or DISABLE to turn it off. The Envoy sidecar automatically handles certificate management via Istio Citadel. Apply per-namespace or mesh-wide. Use DestinationRule to configure traffic policies for specific services.

What is xDS and how does dynamic configuration work?

xDS is Envoy's set of discovery service APIs: LDS (Listener Discovery), CDS (Cluster Discovery), RDS (Route Discovery), EDS (Endpoint Discovery), and SDS (Secret Discovery). Instead of static YAML files, a control plane (like Istio pilot) dynamically pushes configuration to Envoy via gRPC. This enables real-time updates to routing rules, service endpoints, and TLS certificates without restarting Envoy.

How do I set up JWT authentication with Envoy?

Configure the envoy.filters.http.jwt_authn filter with a provider that specifies the issuer URL and JWKS (JSON Web Key Set) endpoint. Envoy fetches the public keys from the remote JWKS URI and validates JWT tokens in incoming requests. You can configure which routes require authentication and specify how the token is extracted from headers or query parameters.

What is weighted routing and how is it used for canary deployments?

Weighted routing in Envoy distributes traffic across multiple clusters based on configured weights. For canary deployments, you can route 90% of traffic to service_v1 and 10% to service_v2 using weighted_clusters in the route configuration. Gradually increase the v2 weight as confidence grows. In Istio, this is configured via VirtualService with destination weights per subset defined in DestinationRule.