Proxy Envoy

The first edition was written on 2020-08-30.

Demo

This Github repo has demos for some important types of envoy proxies.

Some issues I had at the time of using Envoy:

• CONNECT with domain match
• Block or allow downstream source IPs

About Source Code

The protobuf plays a central role on Envoy configuration and every component in Envoy is defined by protobuf. Here I will show some of them I explored.

For example, in external authz gRPC server demo code:

import (
	auth_pb "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
)

func (s *service) Check(ctx context.Context,
                        r *auth_pb.CheckRequest)
                        (*auth_pb.CheckResponse, error) {
	fmt.Println("received check request")
	// return nil, fmt.Errorf("error")
	return &auth_pb.CheckResponse{}, nil
}

func main() {
	auth_pb.RegisterAuthorizationServer(grpcServer, s)
}

The Check handler is specified in module external_auth.pb.go#L704 and defined in proto file service external_auth.proto#L33.

Testing Facilities

There are some CLI and online facilities can help proxy testings:

• HTTP client: curl
• HTTP(S) server: www.httpbin.org, www.example.org
• TCP client: nc, telnet
• TCP server: www.tcpbin.com, nc

For complex testing that multiple components are involved, utilizing docker compose to make them work together.

NOTE: nc and telnet can also work with HTTP server, but you need to input HTTP directives in connection, for example: GET /<path> HTTP/1.1

Envoy Training

So far the best Envoy learning series. The key takeaways are summarized in subsequent sections.

Episode 1: Intro to Envoy

The codelab Github repo.

• Cloud Native L4/L7 proxy.
• Extenability.
• Control via API(usually gRPC): control plane/ data plane.
• Observability: traces and metrics.

Core concepts and data flow, the same order in Envoy config yaml file:

Requests
-> Listeners
-> Filters(routing decision): chained and order matters.
  -> TCP Filters
  -> HCM(http_connection_manager) Filters: turns envoy to http L7 proxy.
    -> HTTP Filters: operates on http header, body, etc.
      -> Router Filters: sends traffic to upstream.
-> Clusters: upstream destinations
  -> Endpoints/Cluster member/Cluster Load Assignment

Episode 05: Envoy filters

Envoy HTTP Filters:

• Code that can interact with request/response.
• Async IO.
• Transparently work with HTTP 1.1 or 2/3.
• Chained together.

Episode 15: Envoy + External Services

The external authz gRPC server is referenced from this episode, super helpful, see codelab

Other Learning Resources

• Envoy proxy blogs
• Intro: Envoy - Matt Klein & Constance Caramanolis, Lyft (slides)
• Envoy Internals Deep Dive (slides)
• Ambassador Envoy blogs
• Some Envoy basics

Istio (as far as I understand it) is basically an Envoy discovery service that uses information from the Kubernetes API (eg the services in your cluster) to configure Envoy clusters/routes. It has its own configuration language.

• Envoy supports traffic shadowing
• Load balancing and HTTP Routing with Envoy Proxy
• Envoy Proxy Crash Course, Architecture, L7 & L4 Proxying, HTTP/2, Enabling TLS 1.2/1.3 and more