Configuring Envoy as an edge proxy

Envoy is a production-ready edge proxy, however, the default settings are tailored for the service mesh use case, and some values need to be adjusted when using Envoy as an edge proxy.

TCP proxies should configure:

HTTP proxies should additionally configure:

The following is a YAML example of the above recommendation (taken from the Google VRP edge server configuration):

  1. overload_manager:
  2. refresh_interval: 0.25s
  3. resource_monitors:
  4. - name: "envoy.resource_monitors.fixed_heap"
  5. typed_config:
  6. "@type": type.googleapis.com/envoy.config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig
  7. # TODO: Tune for your system.
  8. max_heap_size_bytes: 2147483648 # 2 GiB
  9. actions:
  10. - name: "envoy.overload_actions.shrink_heap"
  11. triggers:
  12. - name: "envoy.resource_monitors.fixed_heap"
  13. threshold:
  14. value: 0.95
  15. - name: "envoy.overload_actions.stop_accepting_requests"
  16. triggers:
  17. - name: "envoy.resource_monitors.fixed_heap"
  18. threshold:
  19. value: 0.98
  20. admin:
  21. access_log_path: "/var/log/envoy_admin.log"
  22. address:
  23. socket_address:
  24. address: 127.0.0.1
  25. port_value: 9090
  26. static_resources:
  27. listeners:
  28. - address:
  29. socket_address:
  30. address: 0.0.0.0
  31. port_value: 443
  32. listener_filters:
  33. - name: "envoy.filters.listener.tls_inspector"
  34. typed_config: {}
  35. per_connection_buffer_limit_bytes: 32768 # 32 KiB
  36. filter_chains:
  37. - filter_chain_match:
  38. server_names: ["example.com", "www.example.com"]
  39. transport_socket:
  40. name: envoy.transport_sockets.tls
  41. typed_config:
  42. "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
  43. common_tls_context:
  44. tls_certificates:
  45. - certificate_chain: { filename: "certs/servercert.pem" }
  46. private_key: { filename: "certs/serverkey.pem" }
  47. # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
  48. # use_proxy_proto: true
  49. filters:
  50. - name: envoy.filters.network.http_connection_manager
  51. typed_config:
  52. "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
  53. stat_prefix: ingress_http
  54. use_remote_address: true
  55. common_http_protocol_options:
  56. idle_timeout: 3600s # 1 hour
  57. headers_with_underscores_action: REJECT_REQUEST
  58. http2_protocol_options:
  59. max_concurrent_streams: 100
  60. initial_stream_window_size: 65536 # 64 KiB
  61. initial_connection_window_size: 1048576 # 1 MiB
  62. stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
  63. request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
  64. route_config:
  65. virtual_hosts:
  66. - name: default
  67. domains: "*"
  68. routes:
  69. - match: { prefix: "/" }
  70. route:
  71. cluster: service_foo
  72. idle_timeout: 15s # must be disabled for long-lived and streaming requests
  73. clusters:
  74. name: service_foo
  75. connect_timeout: 15s
  76. per_connection_buffer_limit_bytes: 32768 # 32 KiB
  77. load_assignment:
  78. cluster_name: some_service
  79. endpoints:
  80. - lb_endpoints:
  81. - endpoint:
  82. address:
  83. socket_address:
  84. address: 127.0.0.1
  85. port_value: 8080
  86. http2_protocol_options:
  87. initial_stream_window_size: 65536 # 64 KiB
  88. initial_connection_window_size: 1048576 # 1 MiB
  89. layered_runtime:
  90. layers:
  91. - name: static_layer_0
  92. static_layer:
  93. envoy:
  94. resource_limits:
  95. listener:
  96. example_listener_name:
  97. connection_limit: 10000
  98. overload:
  99. global_downstream_max_connections: 50000