Envoy Proxy is a high-performance C++ L7 proxy and communication bus designed as a “universal data plane” for modern cloud-native applications.
Key Positioning
CNCF Graduated Project (hosted by Cloud Native Computing Foundation)
Universal proxy for edge, service mesh, and API gateway use cases
L7 proxy with advanced HTTP/1.1, HTTP/2, and HTTP/3 support
Philosophy: “The network should be transparent to applications”
Origins and Evolution
Created at Lyft to solve complex networking challenges
Open-sourced in 2016, CNCF graduated in 2018
Foundation for service mesh projects (Istio, Consul Connect)
Industry standard for high-performance proxy infrastructure
Key Features of Envoy Proxy
Protocol Support
HTTP/3 and QUIC (GA since v1.22)
HTTP/2 and HTTP/1.1 with automatic negotiation
gRPC with advanced routing and load balancing
WebSocket proxying and upgrades
MongoDB and DynamoDB wire-level observability
Security Features
OAuth2 and JWT validation
OIDC integration for authentication
mTLS with certificate management
Rate limiting and DDoS protection
Web Application Firewall capabilities
Advanced Capabilities
Circuit breaking and outlier detection
Health checking with custom logic
Distributed tracing integration
Dynamic configuration via xDS APIs
L3/L4 and L7 filtering architecture
Running Envoy Proxy in Docker
## Pull specific Envoy version (recommended for production):
docker pull envoyproxy/envoy:v1.35.0
## Create a Dockerfile with a custom `envoy.yaml`
## configuration file:
FROM envoyproxy/envoy:v1.35.0
COPY envoy.yaml /etc/envoy/envoy.yaml
RUN chmod go+r /etc/envoy/envoy.yaml
## Build the Docker image:
docker build -t envoy:v1 .
## Run with security best practices:
docker run -d --name envoy \
-p 9901:9901 -p 10000:10000 \
--read-only --user 1000:1000 \
envoy:v1
Use Cases of Envoy Proxy
Core Infrastructure Patterns
API Gateway: Rate limiting, authentication, routing
Load Balancer: Advanced algorithms, health checking
Ingress/Egress Proxy: Traffic management at network boundaries
Service Mesh: Inter-service communication (Istio, Consul Connect)
Security Gateway
OAuth2/OIDC authentication enforcement
JWT validation and token forwarding
mTLS termination and certificate management
DDoS protection and rate limiting
Modern Application Patterns
Canary deployments with traffic splitting
Blue-green deployments with instant switching
Protocol translation (HTTP/1.1 ↔ HTTP/2 ↔ HTTP/3)
WebSocket and real-time application support
Observability and Monitoring
Distributed tracing with Zipkin/Jaeger integration
Metrics collection for Prometheus/Grafana
Access logging with structured formats
Health checking with custom endpoints
Advanced Edge Proxy Demo with Docker
In this demo, we’ll set up Envoy as an edge proxy using Docker. We’ll configure Envoy to handle traffic for a local web service, showcasing load balancing and advanced routing.
- Create a simple web service (Node.js/Go/Python).
- Containerize the web service using Docker.
- Pull the official Envoy Docker image.
- Create a Dockerfile with a custom `envoy.yaml` configuration file.
- Build the Envoy Docker image.
- Run the Docker containers for both the web service and Envoy.
- Test the setup by sending requests to the web service via the Envoy proxy.
- Observe load balancing and routing in action.
Conclusion and Q&A
Thank you for joining us today! We hope this session has given you a solid understanding of Envoy Proxy and its role in modern distributed systems.