Announcing Tetrate Agent Operations Director for GenAI Runtime Visibility and Governance

Learn more
< Back

Envoy Gateway 1.4 Release Highlights

Learn how key new features in the Envoy Gateway 1.4 release makes it easier for you to handle your API and application traffic. This release enhances security, traffic management, and operational capabilities.

Envoy%20Gateway%201.4%20Release%20Highlights

The Envoy Gateway 1.4 release enhances security, traffic management, and operational capabilities.

Contact us to learn more about how you can use these features to simplify your ingress traffic handling. Book time with us for a chat about your use case, we look forward to helping you get the most out of Envoy Gateway.

What Has Really Changed from 1.3 to 1.4?

This release’s key updates include significant improvements in security features, enhanced traffic management capabilities, and better operational controls. A detailed list of changes includes:

  • 34 new features spanning security, traffic management, and operations
  • 19 bug fixes improving stability and reliability

This article summarizes some notable new features in Envoy Gateway v1.4. For the full list of changes, see the Envoy Gateway 1.4 release notes.

Feature Highlights

Security: Enhanced Authentication and Access Management

  • Finer-grained Authorization rules in SecurityPolicy: Support for HTTP method and header-based authorization via the SecurityPolicy resource.
  • Upstream Credentials Injection: Support for injecting credentials from Kubernetes Secrets into request headers via HTTPRouteFilter.
  • Local JWKS Source: Support for local JWKS sources (inline or via ConfigMap) to validate JWT tokens.

Traffic Management: Advanced Routing and Control

  • Enhanced Rate Limiting:
    • Shared Global RateLimit buckets: Allows platform teams to add a common limit for a Gateway applicable for all traffic for all routes attached to it. This helps prevent resource exhaustion and ensures fair usage across all services.
    • Distinct Match support for Local Ratelimiting: Enables creating per user / client buckets with minimal config, making it easier to implement fine-grained rate limiting policies for different user segments or API clients.
  • Zone Aware Routing: Route requests to the closest upstream backend endpoint, reducing latency and cost. Especially useful for large scale Kubernetes deployments.
  • New circuit breaker support for per-endpoint thresholds: Allowing you to mitigate the impact of safeguarding upstream endpoints.
  • Percentage-based request mirroring: Can be used when you want to mirror a fraction of total application traffic to a separate backend.
  • Support for Lua-based EnvoyExtensionPolicy: Easily add your own Lua scripts to Envoy for custom logic.
  • Dynamic upstream target selection: Support for HTTP dynamic forward proxy when the upstream target isn’t known ahead of time.

Operations: Improved Infrastructure Management

  • High Availability: Enhanced control over pod termination with maxUnavailable in PodDisruptionBudget, ensuring zero-downtime during maintenance and updates by allowing proper request draining and connection cleanup.
  • Selective CRD Installation: Added support for CRD installation via gateway-crds-helm chart, allowing you to selectively install the Envoy Gateway CRDs and/or the Gateway API CRDs from the standard or experimental channel
  • Helm chart improvements:
    • Added support for HorizontalPodAutoscaler (HPA) to automatically scale Envoy Gateway based on resource usage
    • Introduced global configuration options for image registry and pull secrets, simplifying operations when using a private registry
    • Enhanced traffic distribution control through new Helm configuration options

Observability: Better Monitoring and Control

  • Tracing Improvements: Per-route tracing configuration in BackendTrafficPolicy.
  • RequestID Header: Added RequestID header configuration via ClientTrafficPolicy.
  • Backend API Support for Telemetry Backends: Connect to telemetry providers over Unix Domain Sockets, enabling more direct and efficient communication with observability tools.

Summary

Envoy Gateway 1.4 empowers teams with robust security features, advanced traffic management capabilities, and streamlined operations. These updates provide enhanced security mechanisms, improved routing capabilities, and better operational controls for production environments.

Get in touch with us to learn more about how you can leverage these features to simplify your ingress traffic handling. Get time to talk to us about your use case, we look forward to helping you get the most out of Envoy Gateway.

Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
  • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
  • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network

    with more
    intelligence?