An Overview of Envoy: A Cloud‑Native L7 Proxy and Service Mesh Bus

Envoy is an L7 proxy and communication bus specifically designed for large modern service‑oriented architectures. The project originates from the belief that the network should be transparent to applications and that when network or application issues arise, the root cause should be easy to identify.

The network should be transparent to applications. When problems occur, it should be easy to pinpoint the root cause.

In practice, achieving this goal is very difficult. Envoy attempts to do so by providing several high‑level features.

Out‑of‑process architecture : Envoy runs as an independent process alongside each application server, forming a transparent communication mesh where applications send and receive messages from the local host without knowing the network topology. Compared with traditional library‑based service communication, this architecture offers two substantial benefits.

Envoy can be used with any application language. A single Envoy deployment can form a mesh across Java, C++, Go, PHP, Python, etc., bridging the gap in heterogeneous service‑oriented environments. Deploying and upgrading libraries in large service‑oriented architectures can be painful; Envoy can be deployed and upgraded transparently across the entire infrastructure.

Modern C++11 codebase: Envoy is written in C++11. Native code is chosen to avoid unnecessary overhead, providing excellent latency characteristics without adding complexity to already complex cloud deployments. C++11 offers strong developer productivity and performance.

L3 / L4 filter architecture : At its core, Envoy is an L3/L4 network proxy. An insertable filter chain mechanism allows developers to write filters for various TCP proxy tasks, such as raw TCP proxy, HTTP proxy, TLS client certificate authentication, and more.

HTTP L7 filter architecture : HTTP is a key component of modern application architectures. Envoy supports an additional HTTP L7 filter layer that can be inserted into the HTTP connection manager subsystem to perform tasks like buffering, rate limiting, routing/forwarding, and sniffing services such as Amazon DynamoDB.

Prioritized HTTP/2 support : When running in HTTP mode, Envoy supports both HTTP/1.1 and HTTP/2, acting as a transparent HTTP/1.1‑to‑HTTP/2 proxy in both directions. This enables any combination of HTTP/1.1 and HTTP/2 clients and upstream servers, allowing persistent, multiplexed connections across the mesh.

HTTP L7 routing : Envoy’s routing subsystem can route and redirect requests based on path, authority, content type, runtime values, etc., which is useful both at the edge and within a service mesh.

gRPC support : gRPC, Google’s RPC framework built on HTTP/2, is fully supported by Envoy, including routing and load‑balancing features required for gRPC traffic.

MongoDB L7 support : Envoy can sniff, collect statistics, and log MongoDB connections, a popular database in modern web applications.

DynamoDB L7 support : Envoy provides L7 sniffing and statistics for Amazon’s DynamoDB key/value NoSQL store.

Service discovery : Envoy supports multiple service‑discovery methods, including asynchronous DNS resolution via a discovery service and REST‑based lookups.

Health checking : Envoy includes a health‑check subsystem that can perform active health checks on upstream service clusters and combine health‑check data with service‑discovery information to determine healthy load‑balancing targets. Passive health checks are also supported via anomaly detection.

Advanced load balancing : As a standalone proxy, Envoy implements sophisticated load‑balancing techniques such as automatic retries, circuit breaking, global rate limiting via external services, request shadowing, and anomaly detection.

Frontend/edge proxy support : Although primarily designed for service‑to‑service communication, Envoy can also serve as an edge proxy, offering TLS termination, HTTP/1.1 and HTTP/2 support, and HTTP L7 routing for modern web applications.

Best observability : Envoy provides extensive statistics for all subsystems, compatible with statsd and other collectors, and supports distributed tracing via third‑party vendors.

Dynamic configuration : Envoy can be configured dynamically through a layered set of APIs, allowing complex centralized management of deployments.

Design goals : Although Envoy is not extremely fast, the code is modular and testable rather than being optimized for absolute maximum performance, reflecting the reality that typical deployments are limited by language runtimes and memory usage.