Envoy, the new darling of the DevOps community, performs the role of a service and edge proxy. With advanced features such as timeouts, rate limiting, circuit breaking, load balancing, retries, stats, logging, and distributed tracing are required to handle network failures in a fault tolerant and reliable way it’s a solid choice as an API gateway and/or to manage communications among microservices in order to ensure application performance.

Envoy’s out-of-process architecture can be used with any application, in any language or runtime; supported protocols and features include HTTP/2, gRPC, MongoDB, Redis, Thrift, external authorization, global rate limiting, a rich configuration API, and much more.

The project’s growing user community — which includes Airbnb, Booking.com, eBay, F5, Google, IBM, Lyft, Medium, Microsoft, Netflix, Pinterest, Salesforce, Square, Stripe, Tencent, Twilio, Verizon, VSCO, and many more — has submitted over 3,000 commits to date.

Today, the Cloud Native Computing Foundation® (CNCF®) announced that Envoyproxy is now the third project to graduate, following Kubernetes and Prometheus. To graduate, the projects must demonstrate thriving adoption, a documented neutral governance process, multi-organization committership, and a strong commitment to community sustainability and inclusivity.

“Envoy Proxy has rapidly become the industry leading cloud native L7 proxy. Thousands of organizations have deployed Envoy on Kubernetes with the Ambassador API Gateway,” said Richard Li, CEO of Datawire. “We love Envoy’s feature set and industry-leading architecture and we are thrilled to be a part of Envoy’s vibrant community.

Since Wallarm focus is on the application and API security, that’s what we’ve looked for in Envoy as well. Overall, we feel the project is robust from the security standpoint, mainly because of the consistent C++ code architecture and a good test coverage. The solid security posture is also confirmed by code and 3rd party security audit.

“I want to specifically mention that the contributors included some fuzzing tests to increase security testing coverage which is a de-facto standard nowadays for quality testing practices,” said Ivan Novkov, Wallarm CEO.

Since the project is young it doesn’t have a lot of legacy code and backward compatible limitations, which is a distinct advantage in comparison to the legacy solutions like Apache. At the same time, we can expect a lot of implementation issues and security problems related to misconfigurations just because the community doesn’t have nearly as much experience with Envoyproxy as, say, with NGINX. We wouldn’t be surprised if we see a sophisticated SSRF on Envoy in the near future due to a misconfiguration.

For downloads, documentation, and background on getting involved with the Envoyproxy project, visit https://github.com/envoyproxy/envoy.

See the official announcement: https://www.cncf.io/announcement/2018/11/28/cncf-announces-envoy-graduation/

See settings: Configuration options for the Envoy‑based Wallarm node