What is Envoy Gateway, and why is it required for Kubernetes?

Envoy proxy, the data plane of Istio service mesh, is used for handling east-west traffic ( service-to-service communication within a data center). However, to make Istio manage a network of multicloud applications, Envoy was configured as a sidecar proxy for handling north-south traffic (traffic in and out of data centers). It was observed that application developers found it difficult to configure Envoy proxy as an API gateway and ingress controller. This was time-consuming, which led the community to use Kubernetes Gateway API as a part of the Envoy project and eventually build Envoy Gateway.

The project was started by a few community members- Matt Kleint (founder of Envoy at Lyft), Ambassador labs, Fidelity investments, Tetrate, and VMware. The community has merged a few CNCF projects, such as Contour, Emissary, and K8s Gateway API, into Envoy Gateway to provide seamless onboarding.

Introducing Envoy Gateway

Envoy Gateway empowers developers to extend Envoy proxy as an API or ingress controller for multicluster and multicloud traffic handling use cases. Envoy Gateway can also act as the control plane to manage Envoy proxies in the cloud applications.

Features of Envoy Gateway

6 key features of Envoy Gateway are:

  1. API, based on Gateway API with Envoy extensions, to handle north-south traffic.
  2. Advanced load balancing and traffic management capabilities
  3. XDS control plane for service discovery.
  4. Provisioning and dynamic configuration updates for Envoy proxy and ingress
  5. Extended support for multiclouds and VMS.
  6. TLS certificate delegation

Envoy Gateway offers multiple features that make it appealing for various teams. E.g., developers can use Envoy Gateway as API for lighter use cases. In addition, Ops or infrastructure teams can use Envoy Gateway to maintain the fleet of Envoy proxy in a service mesh.

Architecture of Envoy Gateway

Envoy gateway provides a control plane (just like Istio) to manage the fleet of Envoy proxies and provides lightweight API use cases. The various components inside the Envoy Gateway are:

  • Provider: an infrastructure component that Envoy Gateway calls to establish the runtime (or dynamic) configuration, resolve services, etc. Currently, the provider only supports Kubernetes.
  • Resource Watcher: a component that watches resources used to establish and maintain Envoy Gateway’s dynamic configuration.
  • Resource Translator: a component responsible for translating the configuration resources from resource watcher into Infrastructure or xDS resources.
  • Intermediate Representation (IR): used for defining internal data models that external resources are translated into to decouple Envoy Gateway from the external resources used for dynamic configuration. It consists of two sub-components – Infra IR and xDS IR. The Infra IR is used as the definition of the managed data plane and input for Infra Manager. On the other hand, xDS IR is used to define the xDS configurations and as an input to xDS Translator.
  • xDS Translator: converts the inputs (configuration) from xDS IR into xDS resources for xDS Server
  • xDS Server: a control plane to implement the xDS server protocol and configure the data plane
  • Infra Manager: manages all the infrastructure required to run the Envoy proxies in the data plane and to implement control plane functionalities such as integration of Gateway and managed proxies.
Envoy Gateway architecture

Sources: gateway.envoyproxy.io

Advantages of Envoy Gateway

  • Improved developer experience: With the ability to get started with Envoy as API and ingress controller native to Kubernetes and Istio, developers don’t have to spend any effort developing or extending Envoy. Also, developers don’t need another piece of software (not native to Istio), such as NGINX or HAProxy.
  • Less time to maintain Envoy: Infra and Ops team can automatically use Envoy Gateway to perform lifecycle management functionality that provisions controller resources, control plane resources, proxy instances, etc.
  • Use it anytime and anywhere: Since Envoy Gateway is open source, vendors like IMESH provide both SaaS and managed versions of Envoy Gateway for various enterprise use cases.
  • Easy migration from Contour and Emissary: Since Envoy Gateway is built on the top of the open source project – Contour and Emissary – the community will ensure the users can easily migrate to Envoy Gateway without any hassle.
Cloud migration with Istio & Envoy gateway

Getting started with Envoy Gateway

If you want to start implementing Envoy Gateway, you can refer to Git: https://github.com/envoyproxy/gateway.

You can also watch the video by Ravi Verma, CTO of IMESH, explaining how to deploy the Envoy API Gateway for the Kubernetes cluster.


IMESH offers solutions to help you avoid errors during the experimentation of implementing Istio and fend off operational issues. IMESH provides a platform built on top of Istio and Envoy API gateway to help start with Istio from Day-1. IMESH Istio platform is hardened for production and is fit for multi-cloud and hybrid cloud applications. IMESH also provides consulting services and expertise to help you adopt Istio rapidly in your organization.

IMESH also provides a strong visibility layer on top of Istio which provides Ops and SREs a multicluster view of services, dependencies, and network traffic. The visibility layer also provides details of logs, metrics, and traces to help Ops folks to troubleshoot any network issues faster.

Debasree Panda

Debasree Panda

Debasree is the CEO of IMESH. He understands customer pain points in cloud and microservice architecture. Previously, he led product marketing and market research teams at Digitate and OpsMx, where he had created a multi-million dollar sales pipeline. He has helped open-source solution providers- Tetrate, OtterTune, and Devtron- design GTM from scratch and achieve product-led growth. He firmly believes serendipity happens to diligent and righteous people.

Leave a Reply