Envoy proxy, the data plane of Istio service mesh, is used for handling east-west traffic ( service-to-service communication within a data center). However, to make Istio manage a network of multicloud applications, Envoy was configured as a sidecar proxy for handling north-south traffic (traffic in and out of data centers).
It was observed that application developers found it difficult to configure Envoy proxy as an API gateway and ingress controller. This was time-consuming, which led the community to use Kubernetes Gateway API as a part of the Envoy project and eventually build Envoy Gateway.
The project was started by a few community members — Matt Kleint (founder of Envoy at Lyft), Ambassador Labs, Fidelity Investments, Tetrate, and VMware. The community has merged a few CNCF projects, such as Contour, Emissary, and K8s Gateway API, into Envoy Gateway to provide seamless onboarding.
Introducing Envoy Gateway
Envoy Gateway empowers developers to extend Envoy proxy as an API or ingress controller for multi-cluster and multi-cloud traffic handling use cases. Envoy Gateway can also act as the control plane to manage Envoy proxies in the cloud applications.
Features of Envoy Gateway
Six key features of Envoy Gateway are:
- An API, based on Gateway API with Envoy extensions, to handle north-south traffic.
- Advanced load balancing and traffic management capabilities
- XDS control plane for service discovery.
- Provisioning and dynamic configuration updates for Envoy proxy and ingress
- Extended support for multi-cloud and VMS
- TLS certificate delegation
Envoy Gateway offers multiple features that make it appealing for various teams; e.g., developers can use Envoy Gateway as API for lighter use cases. In addition, ops or infrastructure teams can use Envoy Gateway to maintain the fleet of Envoy proxy in a service mesh.
Architecture of Envoy Gateway
Envoy gateway provides a control plane (just like Istio) to manage the fleet of Envoy proxies and provides lightweight API use cases. The various components inside the Envoy Gateway are:
- Provider: An infrastructure component that Envoy Gateway calls to establish the runtime (or dynamic) configuration, resolve services, etc. Currently, the provider only supports Kubernetes.
- Resource Watcher: A component that watches resources used to establish and maintain Envoy Gateway’s dynamic configuration.
- Resource Translator: A component responsible for translating the configuration resources from resource watcher into Infrastructure or xDS resources.
- Intermediate Representation (IR): Used for defining internal data models that external resources are translated into to decouple Envoy Gateway from the external resources used for dynamic configuration. It consists of two sub-components — Infra IR and xDS IR. The Infra IR is used as the definition of the managed data plane and input for Infra Manager. On the other hand, xDS IR is used to define the xDS configurations and as an input to xDS Translator.
- xDS Translator: Converts the inputs (configuration) from xDS IR into xDS resources for xDS Server.
- xDS Server: A control plane to implement the xDS server protocol and configure the data plane.
- Infra Manager: Manages all the infrastructure required to run the Envoy proxies in the data plane and to implement control plane functionalities such as integration of Gateway and managed proxies.
Source: gateway.envoyproxy.io
Advantages of Envoy Gateway
- Improved developer experience: With the ability to get started with Envoy as API and ingress controller native to Kubernetes and Istio, developers don’t have to spend any effort developing or extending Envoy. Also, developers don’t need another piece of software (not native to Istio), such as NGINX or HAProxy.
- Less time to maintain Envoy: Infra and ops team can automatically use Envoy Gateway to perform lifecycle management functionality that provisions controller resources, control plane resources, proxy instances, etc.
- Easy migration from Contour and Emissary: Since Envoy Gateway is built on the top of the open-source project — Contour and Emissary — the community will ensure the users can easily migrate to Envoy Gateway without any hassle.
Video: Implementing Envoy API Gateway in Kubernetes
Watch the following video to see a demo on deploying Envoy API Gateway for a Kubernetes cluster.