# Envoy Proxy — Cloud-Native High-Performance Service Proxy

> Envoy is a cloud-native high-performance edge, middle, and service proxy. Originally built at Lyft, now a CNCF graduated project. The data plane behind Istio, AWS App Mesh, and many service mesh implementations. Written in C++ for maximum performance.

## Install

Save in your project root:

## Quick Use

```bash
# Install via package or Docker
docker run -d --name envoy -p 10000:10000 -p 9901:9901 \
  envoyproxy/envoy:v1.31-latest

# Admin UI at http://localhost:9901
# Proxy at http://localhost:10000
```

Minimal config `envoy.yaml`:
```yaml
static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 10000
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: backend
                      domains: ["*"]
                      routes:
                        - match: { prefix: "/" }
                          route: { cluster: service_backend }
                http_filters:
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
    - name: service_backend
      connect_timeout: 5s
      type: STRICT_DNS
      load_assignment:
        cluster_name: service_backend
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: host.docker.internal
                      port_value: 8080
```

## Intro

Envoy is a cloud-native, high-performance edge, middle, and service proxy originally built at Lyft and donated to the CNCF (graduated 2018). Written in C++ for maximum performance. Envoy is the data plane behind Istio, AWS App Mesh, Consul Connect, and many custom service mesh implementations. Handles L4/L7 load balancing, HTTP/2, gRPC, TLS termination, rate limiting, circuit breaking, and observability.

- **Repo**: https://github.com/envoyproxy/envoy
- **Stars**: 27K+
- **Language**: C++
- **License**: Apache 2.0

## What Envoy Does

- **L7 proxy** — HTTP/1.1, HTTP/2, HTTP/3, gRPC
- **L4 proxy** — TCP, UDP, TLS
- **Load balancing** — round robin, least request, ring hash, maglev
- **Service discovery** — DNS, EDS (Endpoint Discovery Service)
- **Health checking** — active and passive
- **Circuit breaking** — per-upstream limits
- **Rate limiting** — local and global
- **Observability** — stats (Prometheus), tracing (Jaeger/Zipkin), access logs
- **TLS** — termination and origination, mTLS
- **xDS API** — dynamic configuration via control plane
- **WASM filters** — extend Envoy with WebAssembly

## Architecture

Single-process, multi-threaded C++ binary. Listeners accept connections, filter chains process them, clusters route to upstreams. xDS APIs (LDS, RDS, CDS, EDS, SDS) allow dynamic configuration from a control plane (like Istio or custom gRPC services). Hot restart enables zero-downtime upgrades.

## Self-Hosting

```yaml
# docker-compose.yml
version: "3"
services:
  envoy:
    image: envoyproxy/envoy:v1.31-latest
    ports:
      - "10000:10000"
      - "9901:9901"
    volumes:
      - ./envoy.yaml:/etc/envoy/envoy.yaml
```

## Key Features

- L4/L7 proxying
- HTTP/2 and gRPC native
- Dynamic configuration (xDS)
- Service discovery
- Circuit breaking and rate limiting
- Observability (stats, tracing, logging)
- mTLS
- WASM filter extensibility
- Hot restart
- Admin API

## Comparison

| Proxy | Type | Config | Language |
|---|---|---|---|
| Envoy | L4/L7 | xDS API | C++ |
| Nginx | L4/L7 | Static files | C |
| HAProxy | L4/L7 | Static files | C |
| Traefik | L7 | Auto-discovery | Go |
| Caddy | L7 | Caddyfile/API | Go |
| Linkerd2-proxy | L4/L7 (sidecar) | Control plane | Rust |

## 常见问题 FAQ

**Q: Envoy vs Nginx？**
A: Nginx 擅长静态文件 + 简单反代（配置简单）；Envoy 擅长微服务场景（动态配置、gRPC、可观测性、service mesh）。很多项目 Nginx 做入口，Envoy 做服务间代理。

**Q: 和 Istio 关系？**
A: Istio 是控制面，Envoy 是数据面。Istio 通过 xDS API 给每个 Pod 的 Envoy sidecar 下发路由规则、mTLS 证书。

**Q: WASM 扩展？**
A: 用 Rust/C++/Go/TinyGo 编写 WASM filter 扩展 Envoy 功能（自定义 header 修改、鉴权、限流逻辑），不需要重编译 Envoy。

## 来源与致谢 Sources

- Docs: https://www.envoyproxy.io/docs
- GitHub: https://github.com/envoyproxy/envoy
- License: Apache 2.0

---
Source: https://tokrepo.com/en/workflows/c457cbe3-3638-11f1-9bc6-00163e2b0d79
Author: AI Open Source