BestHub
Sign in
Cloud Native 7 min read

Circuit Breaking, Global Rate Limiting, and TLS Configuration in Envoy

The article explains Envoy's circuit‑breaking mechanisms, global rate‑limiting integration, and TLS support, detailing configuration options, limits, and example YAML snippets for deploying secure and resilient service‑mesh proxies.

Architects Research Society
Architects Research Society
Architects Research Society
Circuit Breaking, Global Rate Limiting, and TLS Configuration in Envoy

Envoy implements circuit breaking at the network level, allowing fast failure and pressure relief without modifying each application. It provides several independent limits per upstream cluster, such as maximum connections, pending requests, total requests, and active retries, each configurable per cluster and priority.

When a circuit‑breaker limit is exceeded, Envoy increments corresponding overflow counters (e.g., upstream_rq_pending_overflow ) and, for HTTP requests, adds the x-envoy-overloaded header.

In scenarios where per‑host limits are insufficient—such as many downstream hosts forwarding to a few overloaded upstream servers—global rate limiting offers a better solution. Envoy integrates with a global gRPC rate‑limit service (e.g., Lyft's Redis‑backed Go implementation) that can enforce limits at both network and HTTP levels.

TLS support in Envoy includes configurable ciphers, client certificates, certificate verification and pinning, ALPN, SNI, and session resumption. Envoy uses BoringSSL as its TLS provider, and certificate validation is only enabled when a trusted CA is specified.

Example configuration snippets demonstrate how to define listeners, TLS contexts, and clusters in Envoy’s static resources. The TLS context includes a validation_context with a trusted_ca file path, such as /etc/ssl/certs/ca-certificates.crt on Debian‑based systems.

static_resources:
  listeners:
  - name: listener_0
    address: { socket_address: { address: 127.0.0.1, port_value: 10000 } }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        # ...
      tls_context:
        common_tls_context:
          validation_context:
            trusted_ca:
              filename: /usr/local/my-client-ca.crt
  clusters:
  - name: some_service
    connect_timeout: 0.25s
    type: STATIC
    lb_policy: ROUND_ROBIN
    hosts: [{ socket_address: { address: 127.0.0.2, port_value: 1234 } }]
    tls_context:
      common_tls_context:
        validation_context:
          trusted_ca:
            filename: /etc/ssl/certs/ca-certificates.crt

Envoy also offers an authentication filter that performs TLS client certificate verification against a list of allowed principals, optionally combined with IP whitelisting, enabling edge‑proxy VPN‑style access control.

Cloud Nativeservice meshRate LimitingTLSEnvoycircuit breaking
Architects Research Society
Written by

Architects Research Society

A daily treasure trove for architects, expanding your view and depth. We share enterprise, business, application, data, technology, and security architecture, discuss frameworks, planning, governance, standards, and implementation, and explore emerging styles such as microservices, event‑driven, micro‑frontend, big data, data warehousing, IoT, and AI architecture.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment