Master Envoy Proxy in 5 Minutes: Build, Configure, and Test a Service Mesh

What is Envoy Proxy?

Envoy Proxy is an open‑source edge and service proxy designed for cloud‑native applications, written in C++, serving as the universal data plane for large‑scale microservice mesh architectures.

Envoy's Building Blocks

Listeners are the addresses and ports where Envoy accepts connections. Routes map virtual hosts to clusters based on request metadata such as headers and URI paths. Clusters represent groups of upstream hosts and can be configured with health checks, circuit breakers, timeouts, and load‑balancing policies.

What are Envoy Proxy Filters?

Listener filter : Operates on raw L4 connection metadata, e.g., TLS inspector extracts TLS information.

Network filter : Handles raw TCP data; an example is the TCP proxy filter that forwards traffic to upstream hosts.

HTTP filter : Runs at L7, processes HTTP requests/responses; the HTTP connection manager (HCM) converts raw data to HTTP and enables further HTTP filters.

Listeners can chain multiple network filters, ending with the HCM which turns Envoy into an L7 proxy.

Envoy Proxy Example (5 minutes)

We start two simple Go applications in Docker containers, one listening on port 18888 (route /blue) and the other on port 28888 (route /red).

# Start services
docker run -dit --env CUSTOM_ROUTE="/blue" -p 18888:8090 core.jiaxzeng.com/jiaxzeng/simple:v1.4.2
docker run -dit --env CUSTOM_ROUTE="/red" -p 28888:8090 core.jiaxzeng.com/jiaxzeng/simple:v1.4.2

# Verify services
curl 172.139.20.170:18888/blue
curl 172.139.20.170:28888/red

Next we launch an Envoy sidecar that listens on port 10000 and routes traffic based on the request path.

cat /tmp/envoy-demo.yaml
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          access_log:
          - name: envoy.access_loggers.stdout
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/blue"
                route:
                  cluster: blue
              - match:
                  prefix: "/red"
                route:
                  cluster: red
  clusters:
  - name: blue
    type: LOGICAL_DNS
    dns_lookup_family: V4_ONLY
    load_assignment:
      cluster_name: blue_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 172.139.20.170
                port_value: 18888
  - name: red
    type: LOGICAL_DNS
    dns_lookup_family: V4_ONLY
    load_assignment:
      cluster_name: red_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 172.139.20.170
                port_value: 28888

docker run -d --name envoy -v /tmp/envoy-demo.yaml:/etc/envoy/envoy.yaml:ro -p 10000:10000 envoyproxy/envoy:v1.28.7

Validate the forwarding:

curl localhost:10000/blue && echo
# => This is the /blue route
curl localhost:10000/red && echo
# => This is the /red route

Conclusion

This article provides a five‑minute overview of Envoy Proxy, covering its fundamental building blocks—listeners, routes, clusters, and filters—and demonstrates a simple configuration that routes traffic based on URI paths to backend services.