Envoy

Some people compare the envoy-proxy with Nginx. The free version of Nginx is a great web-server (caching and ability to serve static files) but poor balancer (no health-checks, lack of balancing algorithms a close to none metrics).

Envoy unable to serve static and has no cache. But envoy is a great balancer and API-gateway. It has a lot of features as balancer: API, health-checks, different balancing algorithms, and great metrics.

Basic security

The greatest issue for the users of Envoy is admin interface publicly available. In most cases it’s useless, but there is a metrics endpoint for Prometheus there. It has an unusual location though.

We can solve both issues at once:

---
admin:
  access_log_path: /dev/null
  address:
    socket_address:
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
    - address:
        socket_address:
          address: "::"
          ipv4_compat: true
          port_value: 9900
      filter_chains:
        - filters:
            - name: envoy.http_connection_manager
              config:
                codec_type: auto
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: backend
                      domains:
                        - "*"
                      routes:
                        - match:
                            path: "/metrics"
                          route:
                            prefix_rewrite: "/stats/prometheus"
                            cluster: admin_api
                http_filters:
                  - name: envoy.router
                    config: {}
                access_log:
                  - name: envoy.file_access_log
                    config:
                      path: /dev/null
  clusters:
    - name: admin_api
      connect_timeout: 600s
      type: strict_dns
      lb_policy: round_robin
      load_assignment:
        cluster_name: admin
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 127.0.0.1
                      port_value: 9901

Now at port 9900 only metrics are available with traditional URL /metrics

HTTP to HTTPS

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 80
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          codec_type: auto
          stat_prefix: ingress_http
          route_config:
            virtual_hosts:
            - name: backend
              domains:
              - "example.com"
              routes:
              - match:
                  prefix: "/"
                redirect:
                  path_redirect: "/"
                  https_redirect: true
          http_filters:
          - name: envoy.router
            config: {}

Health-checks

There are passive HTTP-upstreams check (response codes 500+) but Envoy is designed to serve swarms of microservices and have quite high default thresholds. I’d recommend to review default values for max_ejection_percent, success_rate_minimum_hosts and success_rate_request_volume. My choice is:

        cluster:
          - name: external
            outlier_detection:
              consecutive_5xx: "3"
              base_ejection_time: "60s"
              success_rate_minimum_hosts: "2"
              max_ejection_percent: "50"

Related links