Announcing Built On Envoy: Making Envoy Extensions Accessible to Everyone

Learn more
Envoy

Built On Envoy v0.6.1: New Developer Experience and Community Extensions

Built On Envoy v0.6.1 brings two new extensions contributed by Palantir Technologies and ships a new Web UI that makes the developer experience faster and easier than ever.

Ignasi Barrera
Built On Envoy v0.6.1: New Developer Experience and Community Extensions

Built On Envoy v0.6.1 is out, and it marks a meaningful moment for the project: a brand new developer experience with a Web UI, and several new extensions contributed by the community. If you’re new here, the launch post covers the full story — what Built On Envoy is, why we built it, and how to get started.

Here are the release highlights:

  • A new local web interface for configuring and running extensions.
  • Two new extensions, DNS Gateway and Cluster Router, contributed by Palantir Technologies.
  • Added support for Network and UDP Listener filters.
  • Support running the latest Envoy versions or custom Envoy builds.
  • Many more! check out the full release notes.

Extensions from the community

Built On Envoy v0.6.1 includes two new extensions contributed by Palantir Technologies that address a couple use cases they were solving with Envoy:

DNS Gateway

The DNS Gateway extension intercepts DNS queries, returns synthetic responses for matching domains, and allocates virtual IPs for configured egress policies. This enables Envoy to act as a transparent DNS-aware gateway: traffic destined for specific domains gets routed through policy-controlled paths without requiring application-level changes. It’s a pattern that solves hard networking problems in complex enterprise environments — exactly the kind of production-hardened tooling that benefits the whole community when it’s shared openly. Try it out!

boe run \
  --extension dns-gateway --filter-type udp_listener --config '
    {
      "domains": [
        {
          "domain": "*.aws.com",
          "base_ip": "10.0.0.0",
          "prefix_len": 24,
          "metadata": {
            "cluster": "aws_cluster"
          }
        }
      ]
    }' \
  --extension dns-gateway --filter-type network

Cluster Router

The Cluster Router extension routes HTTP requests across a peered Envoy mesh using a path vector protocol inspired by BGP. Each Envoy instance advertises the clusters it can reach locally; those routes propagate transitively so that requests always take the shortest path to their destination. The result is intelligent, topology-aware routing across a distributed mesh without centralized coordination. Try it out!

boe run --extension cluster-router --config '
  {
    "envoy_id": "envoy1",
    "advertise_listen": "0.0.0.0:7001",
    "peers": [
      { "id": "envoy2", "endpoint": "http://envoy2.internal:7002", "local_cluster": "peer_envoy2" }
    ],
    "poll_interval": "10s",
    "stale_after": "60s"
  }'

boe run --extension cluster-router --config '
  {
    "envoy_id": "envoy2",
    "advertise_listen": "0.0.0.0:7002",
    "peers": [],
    "terminals": ["remote_svc"],
    "poll_interval": "10s",
    "stale_after": "60s"
  }'

Thank you to Anton Kanugalawattage, Gal Ovadia and the rest of the Palantir Technologies team for contributing these extensions. Seeing production-grade extensions from organizations operating at this scale is exactly the kind of community momentum Built On Envoy was designed to enable!

Fine-grained authorization with OpenFGA

In addition to the previous extensions, the OpenFGA extension contributed by engineers at Okta deserves also special attention. OpenFGA is a high-performance authorization engine based on Google Zanzibar, designed for fine-grained, relationship-based access control. The Built On Envoy extension integrates it directly into the request path: Envoy checks authorization decisions at the proxy layer before requests ever reach your application, with no code changes required on the application side. Try it out!

boe run --extension openfga \
  --config '{
    "cluster": "openfga",
    "openfga_host": "localhost:8080",
    "store_id": "YOUR_STORE_ID",
    "user": {"header": "x-user-id", "prefix": "user:"},
    "relation": {"value": "can_use"},
    "object": {"header": "x-ai-model", "prefix": "model:"}
  }' \
  --cluster-insecure localhost:8080

Check out the KubeCon + CloudNativeCon Europe talk by Erica Hughberg and Andres Aguiar from Okta showcasing this extension: Tailor Made: Dynamic Fine-Grained Authorization for API Traffic

Thank you to Andres Aguiar for collaborating in building this extension and for supporting the project!

New developer experience: the Web UI

Built On Envoy v0.6.1 ships a browser-based UI for Built On Envoy, accessible via the new boe ui command:

boe ui

The UI is dynamically generated from the extension manifests stored in the catalog — the same JSON schemas that drive the CLI. Browse available extensions, inspect their configuration options, and launch them directly from the browser. No YAML to hand-edit, no documentation tab-switching required.

The Web UI joins the CLI as a first-class interface to Built On Envoy. For developers who prefer a visual interface for exploration, it’s a faster path from curiosity to a running extension.

Running BOE extensions in production with TEG

The boe CLI and Web UI are designed for an optimal local development experience and exploration. When you need to run extensions in a production environment — with enterprise support, security hardening, lifecycle management, and operational guardrails — Tetrate Enterprise Gateway for Envoy (TEG) is the recommended path.

TEG has first-class support for Built On Envoy extensions. The BOE extensions guide walks through how to consume any extension from the catalog in a TEG-managed Envoy deployment: no custom builds, no manual binary management, and full enterprise support for the extensions your production traffic depends on.

If you’ve been using Built On Envoy for local development and want to take that work to production, TEG closes the gap.

Join the community

Built On Envoy is a community project, and v0.6.1 is a reminder that the best extensions come from teams solving real problems in production. If you’re building something on Envoy, consider contributing it to the catalog.

We’d love to see what you’re building next!

Ignasi Barrera
Product background Product background for tablets
Building AI agents

Agent Router Enterprise provides a managed AI Gateway, MCP Gateway, and AI Guardrails in your dedicated instance. Graduate agents from prototype to production with consistent model access, governed tool use, and runtime supervision — built on Envoy AI Gateway by its creators.

  • AI Gateway – Unified model catalog with automatic fallback across providers
  • MCP Gateway – Curated tool access with per-profile authentication and filtering
  • AI Guardrails – Enforce policies, prevent data loss, and supervise agent behavior
    • Learn more
    Replacing NGINX Ingress

    Tetrate Enterprise Gateway for Envoy (TEG) is the enterprise-ready replacement for NGINX Ingress Controller. Built on Envoy Gateway and the Kubernetes Gateway API, TEG delivers advanced traffic management, security, and observability without vendor lock-in.

  • 100% upstream Envoy Gateway – CVE-protected builds
  • Kubernetes Gateway API native – Modern, portable, and extensible ingress
  • Enterprise-grade support – 24/7 production support from Envoy experts
    • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network
    with more
    intelligence?