Envoy Proxy
Modern edge and service proxy designed for cloud-native applications.
Overview
Envoy Proxy is a high-performance C++ distributed proxy designed for single services and applications, as well as a communication bus and universal data plane for large microservice service mesh architectures. Originally built at Lyft to handle their massive scale requirements, Envoy has become the foundation for numerous service mesh implementations including Istio, Ambassador, and Gloo. It excels at L3/L4 filtering, HTTP L7 filtering, HTTP/2 first design, and gRPC proxying while providing advanced load balancing, health checking, rate limiting, circuit breaking, and observability features.
This Envoy deployment creates a powerful edge proxy capable of handling ingress traffic, performing advanced routing decisions, and providing comprehensive observability through its built-in admin interface. The configuration mounts a custom envoy.yaml file that defines listeners for HTTP/HTTPS traffic on ports 80 and 443, while exposing the administrative interface on port 9901 for real-time monitoring and configuration inspection. Envoy's hot reload capability allows configuration changes without dropping connections, making it ideal for production environments requiring zero-downtime updates.
This setup is perfect for platform engineers implementing cloud-native architectures, DevOps teams managing microservice communications, and organizations requiring enterprise-grade traffic management with detailed observability. Envoy's extensive filter ecosystem and xDS API compatibility make it an excellent choice for teams building service meshes or needing advanced proxy features like mutual TLS, JWT validation, rate limiting, and sophisticated routing based on headers, paths, or weighted distributions.
Key Features
- Advanced HTTP/2 and gRPC proxying with connection multiplexing and flow control
- Built-in circuit breaker with configurable failure thresholds and automatic recovery
- Comprehensive health checking with active and passive failure detection
- Real-time metrics and tracing integration with Prometheus, Jaeger, and Zipkin
- Hot configuration reload via SIGHUP signal without dropping existing connections
- Sophisticated load balancing algorithms including consistent hashing and zone-aware routing
- Web Assembly (WASM) filter support for custom request/response processing
- Automatic retry logic with exponential backoff and jitter configuration
Common Use Cases
- 1API gateway for microservices requiring advanced routing and traffic splitting
- 2Edge proxy for Kubernetes clusters handling ingress traffic and SSL termination
- 3Service mesh data plane component for inter-service communication
- 4Load balancer replacement requiring health checking and circuit breaking
- 5gRPC proxy for handling protocol translation and connection pooling
- 6Rate limiting proxy for protecting backend services from traffic spikes
- 7Observability gateway collecting metrics and traces from distributed systems
Prerequisites
- Docker Engine 20.10+ and Docker Compose V2 for container orchestration
- Minimum 512MB RAM allocation for Envoy proxy operations and connection handling
- Valid envoy.yaml configuration file with listeners, clusters, and route definitions
- Available ports 80, 443, and 9901 for HTTP, HTTPS, and admin interface access
- Understanding of Envoy configuration concepts including listeners, filters, and clusters
- SSL certificates if configuring HTTPS termination in the Envoy configuration
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 envoy: 3 image: envoyproxy/envoy:v1.28-latest4 container_name: envoy5 restart: unless-stopped6 volumes: 7 - ./envoy/envoy.yaml:/etc/envoy/envoy.yaml:ro8 ports: 9 - "80:80"10 - "443:443"11 - "9901:9901"12 networks: 13 - envoy-network1415networks: 16 envoy-network: 17 driver: bridge.env Template
.env
1# Envoy admin interface2ENVOY_ADMIN_PORT=9901Usage Notes
- 1Docs: https://www.envoyproxy.io/docs/envoy/latest/
- 2Admin interface at http://localhost:9901 - stats, config dump, health
- 3Create envoy/envoy.yaml with listeners, clusters, and routes
- 4Hot reload config: kill -SIGHUP $(pidof envoy)
- 5Built-in circuit breaking, retries, and outlier detection
- 6Use xDS for dynamic configuration in service mesh setups
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 envoy:5 image: envoyproxy/envoy:v1.28-latest6 container_name: envoy7 restart: unless-stopped8 volumes:9 - ./envoy/envoy.yaml:/etc/envoy/envoy.yaml:ro10 ports:11 - "80:80"12 - "443:443"13 - "9901:9901"14 networks:15 - envoy-network1617networks:18 envoy-network:19 driver: bridge20EOF2122# 2. Create the .env file23cat > .env << 'EOF'24# Envoy admin interface25ENVOY_ADMIN_PORT=990126EOF2728# 3. Start the services29docker compose up -d3031# 4. View logs32docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/envoy-proxy/run | bashTroubleshooting
- Config validation failed: Check envoy.yaml syntax using 'envoy --mode validate --config-path envoy.yaml'
- Admin interface returns 404: Verify admin listener is configured in envoy.yaml with correct address binding
- Upstream cluster connection failures: Ensure cluster endpoints are reachable and health checks are properly configured
- High memory usage during traffic spikes: Adjust connection buffer limits and enable HTTP/2 connection reuse
- SSL handshake failures: Verify certificate chain completeness and TLS version compatibility in listener configuration
- Hot reload not working: Ensure Envoy process has proper signal handling enabled and configuration file permissions are correct
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Ad Space
Shortcuts: C CopyF FavoriteD Download