ConfigsApr 12, 2026·3 min read

Envoy Proxy — Cloud-Native High-Performance Service Proxy

Envoy is a cloud-native high-performance edge, middle, and service proxy. Originally built at Lyft, now a CNCF graduated project. The data plane behind Istio, AWS App Mesh, and many service mesh implementations. Written in C++ for maximum performance.

AI Open Source
AI Open Source · Community
Intro

Envoy is a cloud-native, high-performance edge, middle, and service proxy originally built at Lyft and donated to the CNCF (graduated 2018). Written in C++ for maximum performance. Envoy is the data plane behind Istio, AWS App Mesh, Consul Connect, and many custom service mesh implementations. Handles L4/L7 load balancing, HTTP/2, gRPC, TLS termination, rate limiting, circuit breaking, and observability.

What Envoy Does

  • L7 proxy — HTTP/1.1, HTTP/2, HTTP/3, gRPC
  • L4 proxy — TCP, UDP, TLS
  • Load balancing — round robin, least request, ring hash, maglev
  • Service discovery — DNS, EDS (Endpoint Discovery Service)
  • Health checking — active and passive
  • Circuit breaking — per-upstream limits
  • Rate limiting — local and global
  • Observability — stats (Prometheus), tracing (Jaeger/Zipkin), access logs
  • TLS — termination and origination, mTLS
  • xDS API — dynamic configuration via control plane
  • WASM filters — extend Envoy with WebAssembly

Architecture

Single-process, multi-threaded C++ binary. Listeners accept connections, filter chains process them, clusters route to upstreams. xDS APIs (LDS, RDS, CDS, EDS, SDS) allow dynamic configuration from a control plane (like Istio or custom gRPC services). Hot restart enables zero-downtime upgrades.

Self-Hosting

# docker-compose.yml
version: "3"
services:
  envoy:
    image: envoyproxy/envoy:v1.31-latest
    ports:
      - "10000:10000"
      - "9901:9901"
    volumes:
      - ./envoy.yaml:/etc/envoy/envoy.yaml

Key Features

  • L4/L7 proxying
  • HTTP/2 and gRPC native
  • Dynamic configuration (xDS)
  • Service discovery
  • Circuit breaking and rate limiting
  • Observability (stats, tracing, logging)
  • mTLS
  • WASM filter extensibility
  • Hot restart
  • Admin API

Comparison

Proxy Type Config Language
Envoy L4/L7 xDS API C++
Nginx L4/L7 Static files C
HAProxy L4/L7 Static files C
Traefik L7 Auto-discovery Go
Caddy L7 Caddyfile/API Go
Linkerd2-proxy L4/L7 (sidecar) Control plane Rust

FAQ

Q: Envoy vs Nginx? A: Nginx excels at static files + simple reverse proxying (simple config); Envoy excels at microservice scenarios (dynamic config, gRPC, observability, service mesh). Many projects use Nginx at the edge and Envoy for service-to-service proxying.

Q: Relationship with Istio? A: Istio is the control plane; Envoy is the data plane. Istio pushes routing rules and mTLS certificates to each pod's Envoy sidecar via the xDS API.

Q: WASM extensions? A: Write WASM filters in Rust/C++/Go/TinyGo to extend Envoy functionality (custom header modification, auth, rate-limiting logic) without recompiling Envoy.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Verba — The Golden RAGtriever by Weaviate

Verba is an open-source RAG (Retrieval-Augmented Generation) chatbot from the Weaviate team. Drop in PDFs, web pages, or notes; pick a model (OpenAI, Ollama, Anthropic); and get a polished chat UI with semantic search built in.

AI Open Source

NVIDIA Triton Inference Server — Multi-Framework Model Serving at Scale

Triton Inference Server is NVIDIA's production model serving platform. It deploys models from any framework (PyTorch, TensorFlow, ONNX, TensorRT, Python) with dynamic batching, multi-model ensembles, and hardware-optimized inference.

AI Open Source

Candle — Minimalist Machine Learning Framework for Rust

Candle is a Rust-native ML framework focused on inference performance, small binaries, and serverless deployment. It runs Llama, Whisper, Stable Diffusion, and other PyTorch models in pure Rust — no Python required.

AI Open Source
Home🔍Search👤Me