Saurabh Adhau's Blog

Envoy Proxy in Service Mesh

Saurabh Adhau's photo
Saurabh Adhau
·

2 min read

Table of contents

Introduction

Envoy Proxy is a high-performance, cloud-native proxy designed for service-to-service communication in modern distributed architectures. Originally developed by Lyft, Envoy has become the core data plane component in most service mesh implementations, including Istio, Consul, and Kuma.

Understanding Envoy Proxy

Envoy is designed to abstract the complexities of network communication, providing features such as:

  • Service discovery: Dynamically finds and routes traffic to available services.

  • Load balancing: Distributes traffic efficiently across service instances.

  • Observability: Provides metrics, logging, and tracing for visibility.

  • Security: Supports TLS encryption, mutual TLS (mTLS), and authentication mechanisms.

  • Traffic control: Implements advanced routing, retries, and circuit breakers.

Role of Envoy in a Service Mesh

In a service mesh, Envoy acts as a sidecar proxy, deployed alongside application services to handle all inbound and outbound traffic. This architecture centralizes traffic management and security policies while offloading these concerns from the application code.

Key Benefits in a Service Mesh:

  1. Transparent Service Communication

    • Handles inter-service communication without requiring application modifications.

  2. Enhanced Security

    • Supports mutual TLS (mTLS) for encrypted communication and authentication.

  3. Observability and Monitoring

    • Collects logs, traces, and metrics for real-time service monitoring.

  4. Traffic Management

    • Enables canary deployments, traffic shaping, and request routing.

  5. Resilience and Fault Tolerance

    • Implements retries, circuit breakers, and automatic failover.

Envoy Architecture

Envoy is structured as a proxy that operates as both a L4 (TCP) and L7 (HTTP) filter. It processes traffic through:

  • Listeners: Define network ports where Envoy accepts traffic.

  • Clusters: Represent groups of upstream services.

  • Filters: Implement custom logic such as authentication, rate limiting, and logging.

  • Control Plane Integration: Works with a control plane (e.g., Istio’s Pilot) to receive dynamic configuration updates.

Use Cases of Envoy

  • Microservices Networking: Simplifies service-to-service communication in cloud-native applications.

  • API Gateway: Acts as an ingress proxy, managing external traffic into the cluster.

  • Edge Proxy: Handles traffic at the network boundary with security features.

  • Load Balancer: Distributes traffic across multiple backend services efficiently.

Conclusion

Envoy Proxy is a critical component in modern service meshes, enabling secure, reliable, and observable communication between services. Its rich feature set, extensibility, and scalability make it the preferred choice for managing microservices traffic in Kubernetes and cloud-native environments.

service meshservice mesh guideDevopsenvoy poxy