Announcing Tetrate Agent Operations Director for GenAI Runtime Visibility and Governance

Learn more
< Back

Envoy API Gateway: The Gateway to a New Frontier

Today, the Envoy community announced an exciting new project – Envoy Gateway

Envoy%20API%20Gateway%3A%20The%20Gateway%20to%20a%20New%20Frontier

Today, the Envoy community announced an exciting new project: Envoy Gateway. The project unites industry leaders to streamline the benefits of application gateways powered by Envoy. This approach allows Envoy Gateway to immediately establish a solid foundation for rapid innovation. The project will provide a suite of services to manage an Envoy Proxy fleet, drive adoption through ease of use, and support a multitude of use cases through well-defined extension mechanisms.

Why are we doing this?

Tetrate is the #1 contributor to Envoy Proxy (by commits) and a proud member of the Envoy Gateway steering group, with contributors covering technical and governance domains. We believe that our strong partnerships and deep experience in open source software will help ensure the success of Envoy Gateway. Tetrate drove the EG initiative because we’re committed to upstream projects, because we believe this will reduce the barrier to entry for users of Envoy Proxy, and because it aligns with our mission to develop service mesh as a foundation for Zero Trust Architecture. Tetrate will invest heavily in building the security features of Envoy Gateway with API functionalities such as OAuth2 support and Let’s Encrypt integration.

Tetrate commitment to upstream projects

Tetrate has been at the forefront of the service mesh space from day 0 and always believes in upstream projects and their communities. Hence, we’ve always added to and backed Istio and Envoy upstream. We saw different people taking Envoy and creating their own control plane and API gateway implementations, leading to fragmentation, slower innovation, feature gaps, and lack of rallying behind one code base. Since we have been very close to Matt Klein and the Envoy community for a long time, when we proposed to bring this into a standardized implementation in Envoy and consolidate it into one official upstream implementation, we received strong support from Matt and from other CNCF projects. We have been working diligently behind the scenes with the other steering committee members (Ambassador Labs, Fidelity Investments, and VMware, Inc) to define Envoy Gateway.

We understand that the hard work has just begun and we are committed to the long-term success of this project, and several others within CNCF.

Standardizing the control plane

In a short period of time, Envoy has become the go-to networking substrate for modern, cloud-native applications. As Envoy gained interest, a wide range of downstream projects began utilizing it for service mesh, ingress, egress, and API gateway functionality. Many of these projects have overlapping capabilities, feature gaps, proprietary aspects, or a lack of community diversity. This fractured state emerged as a side-effect from the Envoy community not providing a control plane implementation.

As a result, speed of innovation has been reduced, and the burden has been placed on organizations to discern the best approach for leveraging Envoy as their application networking data plane. Now that the community is providing Envoy Gateway, more users can enjoy the benefits of Envoy without the control plane decision. The goal of Envoy Gateway is:

“… to attract more users to Envoy by lowering barriers to adoption through expressive, extensible, role-oriented APIs that support a multitude of ingress and L7/L4 traffic routing use cases; and provide a common foundation for vendors to build value-added products without having to re-engineer fundamental interactions.”

### Ease-of-use and operational efficiencies

Envoy Proxy is driven by xDS APIs that expose a wealth of features and are widely adopted by control planes. Although these APIs are feature-rich, they can be daunting for a user to quickly learn and to begin utilizing Envoy’s capabilities. Envoy Gateway will abstract these complexities away from users while supporting existing operational and application management models.

Instead of developing a new project-specific API, Envoy Gateway will leverage Gateway API to achieve these goals. Gateway API is a project managed by the Kubernetes Network Special Interest Group and is quickly becoming the preferred approach for providing user interfaces to manage application networking infrastructure and traffic routing. The open source project has a rich, diverse community with several well known implementations. We look forward to working as part of the community to make Envoy Gateway the industry’s preferred Gateway API implementation.

Why is this better than traditional API gateways?

The more traditional proxies are not lightweight, open, or dynamically programmable with flexible xDS-like APIs, and hence Envoy is well suited to be an API gateway for the dynamic backends of today– especially if security capabilities are added. We envision Envoy Gateway as a key component of the evolving API management landscape. An API gateway is a core component of API management, providing the functionality to transparently enforce policy and generate detailed telemetry. This telemetry delivers powerful observability, providing organizations with improved insight to troubleshoot, maintain, and optimize their APIs.

In our opinion, Envoy is the best API gateway in the industry due to its design, feature set, installed base, and community. With Envoy Gateway, organizations can have increased confidence in embedding Envoy into their API management strategy.

Zero Trust without boundaries

When all your application services run in a service mesh, realizing a zero trust architecture is far less formidable. However, a service mesh-only environment is not the real world. Services run on virtual machines, in proxyless containers, as serverless functions, etc. Envoy Gateway will break through these runtime boundaries by providing a foundation for unifying policy enforcement across heterogeneous environments.

Key to this foundation is Envoy Gateway’s extensibility, which provides flexibility in exposing Envoy and non-Envoy security capabilities. These extension points will be used to provide the functionality needed to achieve a zero trust architecture, including user and application authentication, authorization, encryption, and rate limiting. Envoy Gateway will soon be a key component for organizations seeking to achieve a zero trust architecture.

Again, Tetrate is committed to upstream projects and their long-term viability. This initiativeis yet another testament to that and shows how upstream Envoy and Istio are now becoming de facto pillars for building a service mesh. Envoy Gateway will enable service mesh architecture to become more mainstream, and architects should think of the mesh as a foundation for ZTA. To help architects to make a case, we have recently published the Service Mesh Handbook. We will soon be publishing an architectural approach with upstream Envoy Gateway and Istio that can be seen as the foundation for your application networking.

Explore Envoy Gateway

At Tetrate, we are leading the definition of Zero Trust Architecture based on Envoy Gateway and Istio and will lay out the envisioned architecture in a follow-up blog post. If you want to discuss architecture with us and to learn more about how to architect for legacy and cloud native applications, please join the tetrate-community Slack channel.

To learn more about Tetrate, please visit https://tetrate.io

Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
  • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
  • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network

    with more
    intelligence?