Esta página se muestra en inglés. Una traducción al español está en curso.

SkillsApr 12, 2026·3 min de lectura

Envoy Proxy — Cloud-Native High-Performance Service Proxy

Envoy is a cloud-native high-performance edge, middle, and service proxy. Originally built at Lyft, now a CNCF graduated project. The data plane behind Istio, AWS App Mesh, and many service mesh implementations. Written in C++ for maximum performance.

AI Open Source · Community

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir

Superficie agent

Cualquier agent MCP/CLI

Tipo

Skill

Instalación

Single

Confianza

Confianza: Established

Entrada

step-1.md

Comando de instalación directa

npx -y tokrepo@latest install c457cbe3-3638-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

TL;DR

Envoy is a C++ service proxy powering Istio, AWS App Mesh, and most cloud-native service mesh implementations.

§01

What it is

Envoy is a high-performance edge, middle, and service proxy originally built at Lyft and now a CNCF graduated project. Written in C++, it serves as the data plane for service mesh implementations including Istio, AWS App Mesh, and many others. Envoy handles L3/L4 and L7 traffic with advanced load balancing, observability, and security features.

Envoy targets platform engineers and DevOps teams building microservice architectures who need a programmable proxy for traffic management, observability, and security at the network layer.

§02

How it saves time or tokens

Without Envoy, service-to-service communication requires each application to implement its own retry logic, circuit breaking, rate limiting, and observability. Envoy moves these concerns out of application code and into the infrastructure layer. This means developers write business logic while the proxy handles cross-cutting network concerns.

Envoy's admin interface at port 9901 provides real-time stats, cluster health, and configuration inspection without adding instrumentation to your services.

§03

How to use

Start Envoy with Docker:

docker run -d --name envoy -p 10000:10000 -p 9901:9901 \
  envoyproxy/envoy:v1.31-latest

Access the admin interface at http://localhost:9901.

Configure a minimal listener and cluster in envoy.yaml:

static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 10000
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: backend
                      domains: ['*']
                      routes:
                        - match: { prefix: '/' }
                          route: { cluster: service_backend }
                http_filters:
                  - name: envoy.filters.http.router
                    typed_config:
                      '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
    - name: service_backend
      connect_timeout: 5s
      type: STRICT_DNS
      load_assignment:
        cluster_name: service_backend
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: backend-service
                      port_value: 8080

§04

Example

Test the proxy with curl:

# Send traffic through Envoy
curl http://localhost:10000/

# Check cluster health via admin
curl http://localhost:9901/clusters

# View real-time stats
curl http://localhost:9901/stats

§05

Related on TokRepo

DevOps Tools -- Infrastructure and deployment tooling
AI Gateway Providers -- API gateway and proxy solutions

§06

Common pitfalls

Envoy configuration is verbose YAML with deeply nested typed_config blocks. Start with the minimal example above and add features incrementally rather than copying full production configs.
The admin interface (port 9901) exposes sensitive cluster and config data. Never expose it publicly in production. Bind it to localhost or protect it with network policies.
Envoy does not reload configuration files automatically. Use xDS (discovery service) APIs for dynamic configuration, or restart the container after config changes.

Preguntas frecuentes

What is the relationship between Envoy and Istio?+

Istio uses Envoy as its data plane proxy. Istio provides the control plane (configuration, policy, telemetry) while Envoy handles actual traffic proxying in each pod sidecar. Envoy can also be used standalone without Istio.

Does Envoy support gRPC?+

Yes. Envoy has native support for gRPC proxying, load balancing, and transcoding (converting gRPC to REST and vice versa). It understands the gRPC protocol at L7 and can route based on gRPC service and method names.

How does Envoy compare to Nginx?+

Envoy is designed for service mesh and microservice environments with features like dynamic configuration via xDS APIs, built-in observability, and advanced load balancing. Nginx is a general-purpose web server and reverse proxy. They serve overlapping but different primary use cases.

What is xDS?+

xDS is Envoy's set of discovery service APIs (LDS, RDS, CDS, EDS) that allow dynamic configuration updates without restarts. Control planes like Istio use xDS to push configuration to Envoy sidecars in real time.

Can Envoy handle TLS termination?+

Yes. Envoy supports TLS termination, TLS origination, and mutual TLS (mTLS). In service mesh deployments, Envoy typically handles mTLS between services automatically, encrypting all inter-service traffic.

Referencias (3)

Envoy GitHub— Envoy is a CNCF graduated high-performance service proxy
Envoy Documentation— Envoy proxy architecture and configuration reference
CNCF— CNCF graduated project status for Envoy

Relacionados en TokRepo

DevOps tools on TokRepo AI gateway providers Self-hosted tools

Discusión

Inicia sesión para unirte a la discusión.

Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

JuiceFS — Cloud-Native POSIX File System Built on Object Storage

A high-performance distributed file system that stores data in object storage like S3 while keeping metadata in Redis, PostgreSQL, or MySQL for cloud-native workloads.

Skills

AI Open Source

Easegress — Cloud-Native Traffic Orchestration System

Easegress is a high-performance, cloud-native traffic orchestration platform written in Go that provides API gateway, load balancing, service mesh sidecar, and pipeline-based request processing with built-in resilience patterns.

Skills

AI Open Source

kGateway — Cloud-Native API Gateway Built on Envoy

kGateway (formerly Gloo Gateway) is a Kubernetes-native API gateway built on Envoy Proxy that supports the Gateway API standard with advanced traffic management, security, and AI gateway capabilities.

Skills

AI Open Source

ProxySQL — High-Performance MySQL Proxy with Query Routing

ProxySQL is a high-performance proxy for MySQL and its forks that provides connection pooling, read/write splitting, query caching, and real-time reconfiguration without restarts.

Skills

AI Open Source