Envoy is an open source edge and service agent designed for cloud-native applications, and the default data plane for Istio Service Mesh. In this article, we introduce the basic use of Envoy with a simple example.
Creating a proxy configuration
Envoy uses YAML configuration files to control the behavior of the proxy. In the following steps we will build the configuration using a static configuration interface, which means that all settings are predefined in the configuration file. In addition Envoy also supports dynamic configurations, so that settings can be automatically discovered by some external source.
The first line of the Envoy configuration defines the interface configuration being used, where we will be configuring the static API, so the first line should be
Listeners are defined at the beginning of the configuration. Listeners are the network configurations that Envoy listens to for requests, such as IP addresses and ports. Here we have Envoy running inside a Docker container, so it needs to listen on IP address
0.0.0.0, in which case Envoy will listen on port
Here is the configuration to define the listener.
Listening to incoming traffic through Envoy, the next step is to define how to handle these requests. Each listener has a set of filters, and different listeners can have a different set of filters.
In our example, we proxy all traffic to
baidu.com and once configured we should be able to see the Baidu homepage directly by requesting Envoy’s endpoint without having to change the URL address.
Filters are defined via
filter_chains, and the purpose of each filter is to find a match for the incoming request to match the destination address with.
This filter uses
envoy.http_connection_manager, which is a built-in filter designed for HTTP connections:
stat_prefix: A prefix to be used when issuing statistics for the connection manager.
route_config: A route configuration that checks the route if the virtual host matches. In our configuration here,
route_configmatches all incoming HTTP requests, regardless of the request’s host domain.
routes: If the URL prefix matches, then a set of routing rules defines what will happen next.
/means match the root route.
host_rewrite: Changes the inbound Host header information for HTTP requests.
cluster: The name of the cluster where the request will be processed, with the corresponding implementation below.
http_filters: This filter allows Envoy to adapt and modify the request as it is processed.
When a request matches a filter, the request will be passed to the cluster. The following configuration defines the host as the baidu.com domain for accessing HTTPS, and if multiple hosts are defined, Envoy will implement a Round Robin policy. The configuration is shown below.
Finally, an administration module needs to be configured.
The above configuration defines a static configuration template for Envoy, the listener defines the port and IP address of Envoy, the listener has a set of filters to match incoming requests, and after matching the request, forwards the request to the cluster.
2. Turn on the proxy
After the configuration is done, you can start Envoy via Docker container by mounting the above configuration file via Volume to the
/etc/envoy/envoy.yaml file in the container.
Then start the Envoy container bound to port 80 using the following command.
Once started, we can access the application
curl localhost on port 80 locally to test the success of the proxy. We can also check by accessing
localhost in our local browser to see if.
You can see that the request is being proxied to
baidu.com, and you should also see that the URL address has not changed, it is still
3. Management View
Envoy provides an administrative view that allows us to view configuration, statistics, logs and other data inside Envoy.
We can configure admin by adding additional resource definitions, where we can also define the port for the admin view, but we need to be careful that the port does not conflict with other listener configurations.
Of course, we can also expose the management port to external users through the Docker container. The above configuration will expose the admin page to external users, of course we only use it here for demonstration is OK, if you are used for online environment also need to do some security measures, you can check Envoy’s related documentation for more security configuration.
To expose the administration page to external users as well, we use the following command to run another container.
After running successfully, we can now access the Envoy administration page by typing
localhost:9901 in our browser:
It is important to note that the current administration page not only allows to perform some destructive operations (e.g., shutting down services), but also may expose some private information (e.g., statistics, cluster names, certificate information, etc.). Therefore, access to the administration page should be allowed only through the secure network.
Of course there are many more uses for Envoy, and this article is just the easiest way to get started, so we’ll dive in later.