Envoy Proxy Deployment Guide

What is Envoy?

Envoy is a high-performance, open-source edge and service proxy designed for cloud-native applications. It provides advanced features for modern microservices architectures.

Key Features

• L4/L7 proxy (TCP, UDP, HTTP/1.1, HTTP/2, gRPC)
• Dynamic configuration via xDS APIs
• Multiple load balancing algorithms
• Built-in observability & Prometheus
• Automatic TLS certificate rotation
• Global and local rate limiting

Use Cases

• Edge proxy / API gateway
• Service mesh sidecar (Istio)
• Load balancer with health checks
• TLS termination
• gRPC transcoding
• Circuit breaking

Prerequisites

Before we begin, ensure your RamNode VPS meets these requirements:

Server Requirements

• Ubuntu 22.04 LTS or Debian 12
• Minimum 512MB RAM (1GB+ recommended)
• 1+ vCPU cores
• 500MB disk space for binary and logs
• Public IP with ports 80/443 accessible

→ View Recommended VPS Plans

Required Ports

• 80/TCP: HTTP traffic
• 443/TCP: HTTPS traffic
• 10000/TCP: Default Envoy port
• 9901/TCP: Admin interface (localhost only)

Installation

There are several ways to install Envoy. We'll cover the three most common methods.

Method 1: APT Package Manager (Recommended)

Install Dependencies

sudo apt update
sudo apt install -y apt-transport-https gnupg2 curl lsb-release

Add Envoy GPG Key and Repository

curl -sL 'https://deb.dl.getenvoy.io/public/gpg.8115BA8E629CC074.key' | \
sudo gpg --dearmor -o /usr/share/keyrings/getenvoy-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/getenvoy-keyring.gpg] \
https://deb.dl.getenvoy.io/public/deb/ubuntu $(lsb_release -cs) main" | \
sudo tee /etc/apt/sources.list.d/getenvoy.list

Install Envoy

sudo apt update
sudo apt install -y getenvoy-envoy
envoy --version

Method 2: Docker Container

Run Envoy in Docker

# Install Docker if needed
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER

# Pull and run Envoy
docker pull envoyproxy/envoy:v1.31-latest
docker run -d --name envoy \
  -p 10000:10000 \
  -p 9901:9901 \
  envoyproxy/envoy:v1.31-latest

⚠️ Note: The admin interface runs on port 9901 by default. Restrict access to this port in production.

Method 3: Pre-built Binary

Download Binary Directly

ENVOY_VERSION="1.31.0"
curl -L https://github.com/envoyproxy/envoy/releases/download/v${ENVOY_VERSION}/envoy-${ENVOY_VERSION}-linux-x86_64 \
  -o /usr/local/bin/envoy
chmod +x /usr/local/bin/envoy

Configuration

Envoy uses YAML-based configuration files with several key sections:

Configuration Structure

• static_resources: Listeners, clusters, secrets loaded at startup
• listeners: Network locations where Envoy listens
• clusters: Upstream services for routing
• admin: Admin HTTP interface configuration
• dynamic_resources: xDS API endpoints

Create Configuration Directory

sudo mkdir -p /etc/envoy
sudo nano /etc/envoy/envoy.yaml

Basic Reverse Proxy Configuration (envoy.yaml)

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: AUTO
          route_config:
            name: local_route
            virtual_hosts:
            - name: backend
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: backend_service
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

  clusters:
  - name: backend_service
    connect_timeout: 30s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: backend_service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 8080

admin:
  address:
    socket_address:
      address: 127.0.0.1
      port_value: 9901

TLS/HTTPS Configuration

Secure your Envoy proxy with TLS certificates from Let's Encrypt:

Obtain SSL Certificates

sudo apt install certbot -y
sudo certbot certonly --standalone -d yourdomain.com

TLS Listener Configuration

listeners:
- name: listener_https
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 443
  filter_chains:
  - transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
        common_tls_context:
          tls_certificates:
          - certificate_chain:
              filename: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
            private_key:
              filename: /etc/letsencrypt/live/yourdomain.com/privkey.pem
          alpn_protocols: ["h2", "http/1.1"]
    filters:
    - name: envoy.filters.network.http_connection_manager
      # ... rest of HTTP connection manager config

⚠️ Warning: Ensure Envoy has read permissions for the certificate files. You may need to adjust file permissions or run Envoy as root.

Load Balancing

Envoy supports multiple load balancing algorithms:

Load Balancing Algorithms

• ROUND_ROBIN: Equal distribution across all backends (default)
• LEAST_REQUEST: Routes to backend with fewest active requests
• RING_HASH: Consistent hashing for session affinity
• RANDOM: Random selection for simple scenarios
• MAGLEV: Consistent hashing with minimal disruption

Cluster with Load Balancing and Health Checks

clusters:
- name: backend_cluster
  connect_timeout: 5s
  type: STRICT_DNS
  lb_policy: LEAST_REQUEST
  health_checks:
  - timeout: 5s
    interval: 10s
    unhealthy_threshold: 3
    healthy_threshold: 2
    http_health_check:
      path: /health
  load_assignment:
    cluster_name: backend_cluster
    endpoints:
    - lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: backend1.internal
              port_value: 8080
      - endpoint:
          address:
            socket_address:
              address: backend2.internal
              port_value: 8080
      - endpoint:
          address:
            socket_address:
              address: backend3.internal
              port_value: 8080

Systemd Service Setup

Create a systemd service for managing Envoy as a daemon:

Create Service File

sudo nano /etc/systemd/system/envoy.service

Envoy Service Configuration

[Unit]
Description=Envoy Proxy
Documentation=https://www.envoyproxy.io/
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=envoy
Group=envoy
ExecStart=/usr/local/bin/envoy -c /etc/envoy/envoy.yaml
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=10
LimitNOFILE=65536

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/envoy
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Create User and Enable Service

sudo useradd --system --no-create-home --shell /usr/sbin/nologin envoy
sudo mkdir -p /var/log/envoy
sudo chown envoy:envoy /var/log/envoy

sudo systemctl daemon-reload
sudo systemctl enable envoy
sudo systemctl start envoy
sudo systemctl status envoy

Monitoring & Observability

Envoy provides comprehensive statistics and monitoring out of the box.

Admin Interface Endpoints

• /stats: All statistics in plain text
• /stats/prometheus: Prometheus-compatible metrics
• /clusters: Cluster membership and health
• /config_dump: Current configuration dump
• /ready: Readiness check endpoint
• /server_info: Server version info

Prometheus Configuration

scrape_configs:
- job_name: 'envoy'
  metrics_path: /stats/prometheus
  static_configs:
  - targets: ['localhost:9901']

💡 Tip: Access the admin interface at http://localhost:9901 for real-time statistics.

Security Best Practices

Follow these security recommendations for production deployments:

Security Recommendations

Restrict Admin Interface: Bind to localhost only, use SSH tunneling for remote access
Enable TLS Everywhere: Use TLS for both downstream and upstream connections
Implement Rate Limiting: Protect backends from abuse
Use Network Policies: Configure firewall to allow only necessary ports
Regular Updates: Keep Envoy updated for security patches
Audit Logging: Enable access logging for security auditing

Firewall Configuration

# Allow HTTP/HTTPS traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Allow Envoy proxy port (if using non-standard)
sudo ufw allow 10000/tcp

# Ensure admin port is NOT exposed publicly
# Admin should only be accessible via localhost

sudo ufw enable
sudo ufw status

Troubleshooting

Common Issues

• Configuration syntax errors: Validate with envoy --mode validate -c /etc/envoy/envoy.yaml
• Port already in use: Check with sudo lsof -i :10000
• TLS handshake failures: Verify certificate paths and permissions
• Upstream timeouts: Increase connect_timeout or check backend health
• High memory usage: Tune connection limits and buffer sizes

Diagnostic Commands

# Validate configuration
envoy --mode validate -c /etc/envoy/envoy.yaml

# Check service logs
sudo journalctl -u envoy -f

# View active connections
curl -s localhost:9901/stats | grep downstream_cx_active

# Check cluster health
curl -s localhost:9901/clusters | grep health_flags

# Reload configuration (hot restart)
sudo systemctl reload envoy

Next Steps

You now have a fully functional Envoy proxy on your RamNode VPS. Consider these advanced configurations:

• gRPC transcoding for REST to gRPC conversion
• Circuit breaking for fault tolerance
• Service mesh integration with Istio
• Dynamic configuration with xDS APIs
• Rate limiting and request hedging

For advanced configurations, refer to the official Envoy documentation or contact RamNode support at support@ramnode.com.