Configuring Envoy as an edge proxy

Envoy is a production-ready edge proxy, however, the default settings are tailored for the service mesh use case, and some values need to be adjusted when using Envoy as an edge proxy.

TCP proxies should configure:

HTTP proxies should additionally configure:

The following is a YAML example of the above recommendation.

  1. overload_manager:
  2.   refresh_interval: 0.25s
  3.   resource_monitors:
  4.   - name: "envoy.resource_monitors.fixed_heap"
  5.     config:
  6.       # TODO: Tune for your system.
  7.       max_heap_size_bytes: 2147483648 # 2 GiB
  8.   actions:
  9.   - name: "envoy.overload_actions.shrink_heap"
  10.     triggers:
  11.     - name: "envoy.resource_monitors.fixed_heap"
  12.       threshold:
  13.         value: 0.95
  14.   - name: "envoy.overload_actions.stop_accepting_requests"
  15.     triggers:
  16.     - name: "envoy.resource_monitors.fixed_heap"
  17.       threshold:
  18.         value: 0.98
  20. admin:
  21.   access_log_path: "/var/log/envoy_admin.log"
  22.   address:
  23.     socket_address:
  24.       address: 127.0.0.1
  25.       port_value: 9090
  27. static_resources:
  28.   listeners:
  29.   - address:
  30.       socket_address:
  31.         address: 0.0.0.0
  32.         port_value: 443
  33.     listener_filters:
  34.     - name: "envoy.listener.tls_inspector"
  35.       typed_config: {}
  36.     per_connection_buffer_limit_bytes: 32768 # 32 KiB
  37.     filter_chains:
  38.     - filter_chain_match:
  39.         server_names: ["example.com", "www.example.com"]
  40.       tls_context:
  41.         common_tls_context:
  42.           tls_certificates:
  43.           - certificate_chain: { filename: "example_com_cert.pem" }
  44.             private_key: { filename: "example_com_key.pem" }
  45.       filters:
  46.       - name: envoy.http_connection_manager
  47.         typed_config:
  48.           "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
  49.           stat_prefix: ingress_http
  50.           use_remote_address: true
  51.           # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
  52.           # use_proxy_proto: true
  53.           common_http_protocol_options:
  54.             idle_timeout: 3600s # 1 hour
  55.           http2_protocol_options:
  56.             max_concurrent_streams: 100
  57.             initial_stream_window_size: 65536 # 64 KiB
  58.             initial_connection_window_size: 1048576 # 1 MiB
  59.           stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
  60.           request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
  61.           route_config:
  62.             virtual_hosts:
  63.             - name: default
  64.               domains: "*"
  65.               routes:
  66.               - match: { prefix: "/" }
  67.                 route:
  68.                   cluster: service_foo
  69.                   idle_timeout: 15s # must be disabled for long-lived and streaming requests
  70.   clusters:
  71.     name: service_foo
  72.     connect_timeout: 15s
  73.     per_connection_buffer_limit_bytes: 32768 # 32 KiB
  74.     hosts:
  75.       socket_address:
  76.         address: 127.0.0.1
  77.         port_value: 8080
  78.     http2_protocol_options:
  79.       initial_stream_window_size: 65536 # 64 KiB
  80.       initial_connection_window_size: 1048576 # 1 MiB