Concepts on Envoy Gateway

The Gateway API

Mon, 01 Jan 0001 00:00:00 +0000

Before You Begin

You may want to be familiar with:

Overview

The Gateway API is a Kubernetes API designed to provide a consistent, expressive, and extensible method for managing network traffic into and within a Kubernetes cluster, compared to the legacy Ingress API. It introduces core resources such as GatewayClass and Gateway and various route types like HTTPRoute and TLSRoute, which allow you to define how traffic is routed, secured, and exposed.

API Gateways

Mon, 01 Jan 0001 00:00:00 +0000

Overview

An API gateway is a centralized entry point for managing, securing, and routing requests to backend services. It handles cross-cutting concerns, like authentication, rate limiting, and protocol translation, so individual services don’t have to. Decoupling clients from internal systems simplifies scaling, enforces consistency, and reduces redundancy.

Use Cases

Use an API Gateway to:

Avoid duplicating logic across microservices.
Create a central point of control for access, monitoring, and traffic rules.
Expose internal services to the public internet.
Provide protocol support for HTTP, gRPC, or TLS.
Enforce policies and see traffic metrics at the edge.

API Gateways in relation to Envoy Gateway

Under the hood, Envoy Proxy is a powerful, production-grade proxy that supports many of the capabilities you’d expect from an API Gateway, like traffic routing, retries, TLS termination, observability, and more. However, configuring Envoy directly can be complex and verbose.

Proxy

Mon, 01 Jan 0001 00:00:00 +0000

Overview

A proxy server is an intermediary between a client (like a web browser) and another server (like an API server). When the client makes a request, the proxy forwards it to the destination server, receives the response, and then sends it back to the client.

Proxies are used to enhance security, manage traffic, anonymize user activity, or optimize performance through caching and load balancing features. In cloud environments, they often handle critical tasks such as request routing, TLS termination, authentication, and traffic shaping.

Envoy Gateway Resources

Mon, 01 Jan 0001 00:00:00 +0000

There are several resources that play a part in enabling you to meet your Kubernetes ingress traffic handling needs. This page provides a brief overview of the resources you’ll be working with.

Overview

There are several resources that play a part in enabling you to meet your Kubernetes ingress traffic handling needs. This page provides a brief overview of the resources you’ll be working with.

Kubernetes Gateway API Resources

GatewayClass: Defines a class of Gateways with common configuration.
Gateway: Specifies how traffic can enter the cluster.
Routes: HTTPRoute, GRPCRoute, TLSRoute, TCPRoute, UDPRoute: Define routing rules for different types of traffic.

Envoy Gateway (EG) API Resources

EnvoyProxy: Represents the deployment and configuration of the Envoy proxy within a Kubernetes cluster, managing its lifecycle and settings.
EnvoyPatchPolicy, ClientTrafficPolicy, SecurityPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy, BackendTLSPolicy: Additional policies and configurations specific to Envoy Gateway.
Backend: A resource that makes routing to cluster-external backends easier and makes access to external processes via Unix Domain Sockets possible.

Resource	API	Required	Purpose	References	Description
GatewayClass	Gateway API	Yes	Gateway Config	Core	Defines a class of Gateways with common configuration.
Gateway	Gateway API	Yes	Gateway Config	GatewayClass	Specifies how traffic can enter the cluster.
HTTPRoute GRPCRoute TLSRoute TCPRoute UDPRoute	Gateway API	Yes	Routing	Gateway	Define routing rules for different types of traffic. Note:For simplicity these resources are referenced collectively as Route in the References column
Backend	EG API	No	Routing	N/A	Used for routing to cluster-external backends using FQDN or IP. Can also be used when you want to extend Envoy with external processes accessed via Unix Domain Sockets.
ClientTrafficPolicy	EG API	No	Traffic Handling	Gateway	Specifies policies for handling client traffic, including rate limiting, retries, and other client-specific configurations.
BackendTrafficPolicy	EG API	No	Traffic Handling	Gateway, Route	Specifies policies for traffic directed towards backend services, including load balancing, health checks, and failover strategies. Note:Most specific configuration wins
SecurityPolicy	EG API	No	Security	Gateway, Route	Defines security-related policies such as authentication, authorization, and encryption settings for traffic handled by Envoy Gateway. Note:Most specific configuration wins
BackendTLSPolicy	Gateway API	No	Security	Service	Defines TLS settings for backend connections, including certificate management, TLS version settings, and other security configurations. This policy is applied to Kubernetes Services.
EnvoyProxy	EG API	No	Customize & Extend	GatewayClass, Gateway	The EnvoyProxy resource represents the deployment and configuration of the Envoy proxy itself within a Kubernetes cluster, managing its lifecycle and settings. Note:Most specific configuration wins
EnvoyPatchPolicy	EG API	No	Customize & Extend	GatewayClass, Gateway	This policy defines custom patches to be applied to Envoy Gateway resources, allowing users to tailor the configuration to their specific needs. Note:Most specific configuration wins
EnvoyExtensionPolicy	EG API	No	Customize & Extend	Gateway, Route, Backend	Allows for the configuration of Envoy proxy extensions, enabling custom behavior and functionality. Note:Most specific configuration wins
HTTPRouteFilter	EG API	No	Customize & Extend	HTTPRoute	Allows for the additional request/response processing.

Load Balancing

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Load balancing distributes incoming requests across multiple backend services to improve availability, responsiveness, and scalability. Instead of directing all traffic to a single backend, which can cause slowdowns or outages, load balancing spreads the load across multiple instances, helping your applications stay fast and reliable under pressure.

Use Cases

Use load balancing to:

Handle high traffic by distributing it across multiple service instances
Keep services available even if one or more backends go down
Improve response time by routing to less busy or closer backends

Load Balancing in Envoy Gateway

Envoy Gateway supports several load balancing strategies that determine how traffic is distributed across backend services. These strategies are configured using the BackendTrafficPolicy resource and can be applied to Gateway, HTTPRoute, or GRPCRoute resources either by directly referencing them using the targetRefs field or by dynamically selecting them using the targetSelectors field, which matches resources based on Kubernetes labels.

Rate Limiting

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Rate limiting is a technique for controlling the number of incoming requests over a defined period. It can be used to control usage for business purposes, like agreed usage quotas, or to ensure the stability of a system, preventing overload and protecting the system from, e.g., Denial of Service attacks.

Use Cases

Rate limiting is commonly used to:

Prevent Overload: Protect internal systems like databases from excessive traffic.
Enhance Security: Block or limit abusive behavior such as brute-force attempts or DDoS attacks.
Ensure Fair Usage: Enforce quotas and prevent resource hogging by individual clients.
Implement Entitlements: Define API usage limits based on user identity or role.

Rate Limiting in Envoy Gateway

Envoy Gateway supports two types of rate limiting: