Today, the Envoy community announced an exciting new project: Envoy Gateway. The project unites industry leaders to streamline the benefits of application gateways powered by Envoy. This approach allows Envoy Gateway to immediately establish a solid foundation for rapid innovation. The project will provide a suite of services to manage an Envoy Proxy fleet, drive adoption through ease of use, and support a multitude of use cases through well-defined extension mechanisms.

Why are we doing this?

Tetrate is the #1 contributor to Envoy Proxy (by commits) and a proud member of the Envoy Gateway steering group, with contributors covering technical and governance domains. We believe that our strong partnerships and deep experience in open source software will help ensure the success of Envoy Gateway. Tetrate drove the EG initiative because we’re committed to upstream projects, because we believe this will reduce the barrier to entry for users of Envoy Proxy, and because it aligns with our mission to develop service mesh as a foundation for Zero Trust Architecture. Tetrate will invest heavily in building the security features of Envoy Gateway with API functionalities such as OAuth2 support and Let’s Encrypt integration.

Tetrate commitment to upstream projects

Tetrate has been at the forefront of the service mesh space from day 0 and always believes in upstream projects and their communities. Hence, we’ve always added to and backed Istio and Envoy upstream. We saw different people taking Envoy and creating their own control plane and API gateway implementations, leading to fragmentation, slower innovation, feature gaps, and lack of rallying behind one code base. Since we have been very close to Matt Klein and the Envoy community for a long time, when we proposed to bring this into a standardized implementation in Envoy and consolidate it into one official upstream implementation, we received strong support from Matt and from other CNCF projects. We have been working diligently behind the scenes with the other steering committee members (Ambassador Labs, Fidelity Investments, and VMware, Inc) to define Envoy Gateway.

We understand that the hard work has just begun and we are committed to the long-term success of this project, and several others within CNCF.

Standardizing the control plane

In a short period of time, Envoy has become the go-to networking substrate for modern, cloud-native applications. As Envoy gained interest, a wide range of downstream projects began utilizing it for service mesh, ingress, egress, and API gateway functionality. Many of these projects have overlapping capabilities, feature gaps, proprietary aspects, or a lack of community diversity. This fractured state emerged as a side-effect from the Envoy community not providing a control plane implementation.

As a result, speed of innovation has been reduced, and the burden has been placed on organizations to discern the best approach for leveraging Envoy as their application networking data plane. Now that the community is providing Envoy Gateway, more users can enjoy the benefits of Envoy without the control plane decision. The goal of Envoy Gateway is:

“… to attract more users to Envoy by lowering barriers to adoption through expressive, extensible, role-oriented APIs that support a multitude of ingress and L7/L4 traffic routing use cases; and provide a common foundation for vendors to build value-added products without having to re-engineer fundamental interactions.”

Ease-of-use and operational efficiencies

Envoy Proxy is driven by xDS APIs that expose a wealth of features and are widely adopted by control planes. Although these APIs are feature-rich, they can be daunting for a user to quickly learn and to begin utilizing Envoy’s capabilities. Envoy Gateway will abstract these complexities away from users while supporting existing operational and application management models.

Instead of developing a new project-specific API, Envoy Gateway will leverage Gateway API to achieve these goals. Gateway API is a project managed by the Kubernetes Network Special Interest Group and is quickly becoming the preferred approach for providing user interfaces to manage application networking infrastructure and traffic routing. The open source project has a rich, diverse community with several well known implementations. We look forward to working as part of the community to make Envoy Gateway the industry’s preferred Gateway API implementation.

Why is this better than traditional API gateways?

The more traditional proxies are not lightweight, open, or dynamically programmable with flexible xDS-like APIs, and hence Envoy is well suited to be an API gateway for the dynamic backends of today– especially if security capabilities are added. We envision Envoy Gateway as a key component of the evolving API management landscape. An API gateway is a core component of API management, providing the functionality to transparently enforce policy and generate detailed telemetry. This telemetry delivers powerful observability, providing organizations with improved insight to troubleshoot, maintain, and optimize their APIs.

In our opinion, Envoy is the best API gateway in the industry due to its design, feature set, installed base, and community. With Envoy Gateway, organizations can have increased confidence in embedding Envoy into their API management strategy.

Zero Trust without boundaries

When all your application services run in a service mesh, realizing a zero trust architecture is far less formidable. However, a service mesh-only environment is not the real world. Services run on virtual machines, in proxyless containers, as serverless functions, etc. Envoy Gateway will break through these runtime boundaries by providing a foundation for unifying policy enforcement across heterogeneous environments.

Key to this foundation is Envoy Gateway’s extensibility, which provides flexibility in exposing Envoy and non-Envoy security capabilities. These extension points will be used to provide the functionality needed to achieve a zero trust architecture, including user and application authentication, authorization, encryption, and rate limiting. Envoy Gateway will soon be a key component for organizations seeking to achieve a zero trust architecture.

Again, Tetrate is committed to upstream projects and their long-term viability. This initiativeis yet another testament to that and shows how upstream Envoy and Istio are now becoming de facto pillars for building a service mesh. Envoy Gateway will enable service mesh architecture to become more mainstream, and architects should think of the mesh as a foundation for ZTA. To help architects to make a case, we have recently published the Service Mesh Handbook. We will soon be publishing an architectural approach with upstream Envoy Gateway and Istio that can be seen as the foundation for your application networking.

Explore Envoy Gateway

At Tetrate, we are leading the definition of Zero Trust Architecture based on Envoy Gateway and Istio and will lay out the envisioned architecture in a follow-up blog post. If you want to discuss architecture with us and to learn more about how to architect for legacy and cloud native applications, please join the tetrate-community Slack channel.

Also, please join or stream our webinar with Matt Klein and Daneyon Hansen: “Delivering API security everywhere with Envoy Gateway” – scheduled for Thursday, June 16th at 9 AM PT:

To learn more about Tetrate, please visit