Hao Liang's Blog

Embrace the World with Cloud Native and Open-source

【Envoy-04】Envoy xDS Dynamic Configuration and Control Plane Interactions

1. Interacting with Control Plane What’s a control plane To manage all these configuration files in a central place, we need to introduce a control plane. Control plane propagates all the network configuration to the data plane. Why is it useful Control plane subscribes for configuration updates, whenever cluster changed, routes added, listeners added, the control plane will send those updates to envoy and it apply the new configuration dynamically without restarting.

Posted by Hao Liang's Blog on Sunday, December 24, 2023

【Envoy-03】Securing Envoy Proxy

1. Envoy Threat model refer to: threat_model The Threat Model is: Identifying and enumerating threats and vulnerabilities Devising mitigations Prioritising residual risks Escalating the most important risks Why Treat Model? Identify security flaws early Save money and time consuming redesigns Focus your security requirements Identify complex risks and data flows for critical assets 2. Configuration Best Practices refer to: best_practices/edge An example to run envoy with secure config: # https://github.com/solo-io/hoot/blob/master/03-security/edge.yaml admin: # access log to admin interface access_log_path: "/tmp/envoy_admin.

Posted by Hao Liang's Blog on Sunday, December 17, 2023

【Envoy-02】Monitoring, Performance, and Troubleshooting

1. Envoy Observability Concept: Mechanisms to observe Envoy’s state Debugging and monitoring Envoy Overview: Admin interface stats config dump clusters log level Debug logs Access logs Metrics Collection Tracing 2. Admin Interface /stats : histogram metrics, current status of Envoy(e.g. how many requests, how many succeeded, how many failed) /config_dump: dump current internal Envoy configuration /clusters: actual membership of cluster /logging: Envoy logs # https://github.com/solo-io/hoot/blob/master/02-observe/stats.yaml admin: access_log_path: /dev/stdout address: socket_address: { address: 127.

Posted by Hao Liang's Blog on Friday, December 8, 2023

【Envoy-01】Architecture Overview and Fundamentals

I’ve been re-learning Envoy recently since it’s a powerful L4/L7 proxy widely used in multiple opensource projects(e.g. Istio, Cilium, Envoy Gateway). Back in 2019, I first got to know Service Mesh, the first Service Mesh opensource project I got involve is Istio, already using Envoy as L4/L7 proxy for traffic management. At that time, I wasn’t interested in Envoy presumably because it’s written in C++, which is considered as a ‘The deeper you get, the harder it gets’ language.

Posted by Hao Liang's Blog on Sunday, December 3, 2023