Configuring Envoy as an edge proxyΒΆ

Envoy is a production-ready edge proxy, however, the default settings are tailored for the service mesh use case, and some values need to be adjusted when using Envoy as an edge proxy.

TCP proxies should configure:

HTTP proxies should additionally configure:

The following is a YAML example of the above recommendation.

overload_manager:
  refresh_interval: 0.25s
  resource_monitors:
  - name: "envoy.resource_monitors.fixed_heap"
    config:
      # TODO: Tune for your system.
      max_heap_size_bytes: 2147483648 # 2 GiB
  actions:
  - name: "envoy.overload_actions.shrink_heap"
    triggers:
    - name: "envoy.resource_monitors.fixed_heap"
      threshold:
        value: 0.95
  - name: "envoy.overload_actions.stop_accepting_requests"
    triggers:
    - name: "envoy.resource_monitors.fixed_heap"
      threshold:
        value: 0.98

admin:
  access_log_path: "/var/log/envoy_admin.log"
  address:
    socket_address:
      address: 127.0.0.1
      port_value: 9090

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 443
    listener_filters:
    - name: "envoy.listener.tls_inspector"
      typed_config: {}
    per_connection_buffer_limit_bytes: 32768 # 32 KiB
    filter_chains:
    - filter_chain_match:
        server_names: ["example.com", "www.example.com"]
      tls_context:
        common_tls_context:
          tls_certificates:
          - certificate_chain: { filename: "example_com_cert.pem" }
            private_key: { filename: "example_com_key.pem" }
      filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          stat_prefix: ingress_http
          use_remote_address: true
          # Uncomment if Envoy is behind a load balancer that exposes client IP address using the PROXY protocol.
          # use_proxy_proto: true
          common_http_protocol_options:
            idle_timeout: 3600s # 1 hour
          http2_protocol_options:
            max_concurrent_streams: 100
            initial_stream_window_size: 65536 # 64 KiB
            initial_connection_window_size: 1048576 # 1 MiB
          stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
          request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
          route_config:
            virtual_hosts:
            - name: default
              domains: "*"
              routes:
              - match: { prefix: "/" }
                route:
                  cluster: service_foo
                  idle_timeout: 15s # must be disabled for long-lived and streaming requests
  clusters:
    name: service_foo
    connect_timeout: 15s
    per_connection_buffer_limit_bytes: 32768 # 32 KiB
    hosts:
      socket_address:
        address: 127.0.0.1
        port_value: 8080
    http2_protocol_options:
      initial_stream_window_size: 65536 # 64 KiB
      initial_connection_window_size: 1048576 # 1 MiB