Envoy Proxy — Cloud-Native High-Performance Service Proxy

What it is

Envoy is a high-performance edge, middle, and service proxy originally built at Lyft and now a CNCF graduated project. Written in C++, it serves as the data plane for service mesh implementations including Istio, AWS App Mesh, and many others. Envoy handles L3/L4 and L7 traffic with advanced load balancing, observability, and security features.

Envoy targets platform engineers and DevOps teams building microservice architectures who need a programmable proxy for traffic management, observability, and security at the network layer.

How it saves time or tokens

Without Envoy, service-to-service communication requires each application to implement its own retry logic, circuit breaking, rate limiting, and observability. Envoy moves these concerns out of application code and into the infrastructure layer. This means developers write business logic while the proxy handles cross-cutting network concerns.

Envoy's admin interface at port 9901 provides real-time stats, cluster health, and configuration inspection without adding instrumentation to your services.

How to use

1. Start Envoy with Docker:

docker run -d --name envoy -p 10000:10000 -p 9901:9901 \
  envoyproxy/envoy:v1.31-latest

1. Access the admin interface at http://localhost:9901.

1. Configure a minimal listener and cluster in envoy.yaml:

static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 10000
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: backend
                      domains: ['*']
                      routes:
                        - match: { prefix: '/' }
                          route: { cluster: service_backend }
                http_filters:
                  - name: envoy.filters.http.router
                    typed_config:
                      '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
    - name: service_backend
      connect_timeout: 5s
      type: STRICT_DNS
      load_assignment:
        cluster_name: service_backend
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: backend-service
                      port_value: 8080

Example

Test the proxy with curl:

# Send traffic through Envoy
curl http://localhost:10000/

# Check cluster health via admin
curl http://localhost:9901/clusters

# View real-time stats
curl http://localhost:9901/stats

Related on TokRepo

• DevOps Tools -- Infrastructure and deployment tooling
• AI Gateway Providers -- API gateway and proxy solutions

Common pitfalls

• Envoy configuration is verbose YAML with deeply nested typed_config blocks. Start with the minimal example above and add features incrementally rather than copying full production configs.
• The admin interface (port 9901) exposes sensitive cluster and config data. Never expose it publicly in production. Bind it to localhost or protect it with network policies.
• Envoy does not reload configuration files automatically. Use xDS (discovery service) APIs for dynamic configuration, or restart the container after config changes.