Dynamic Envoy Proxy on Linux Machine

Turgay Özgür
Published in
4 min readDec 17, 2019


Envoy is a service proxy. Modern, configurable and observable. You will be able to define circuit breaking, load balancing, advanced rooting and much more if you decide to use envoy as a proxy.

Let’s see how we configure the Envoy as a proxy in front of our applications run on Linux machines.

Before the Envoy, we have used Nginx as a proxy. The main reason we moved from Nginx to Envoy is implementing the circuit breaker pattern and making the proxy more visible.

Envoy is a lightweight, written with C++, open-source and completely free. Also, it has built-in Prometheus metrics.

Envoy Configuration Methods

There is two configuration method we have. One is the static configuration and the other one is dynamic configuration.

Here is the simple static configuration example has one port listen to 10000 and redirect all requests to google.comthat comes from the port.

- name: listener_0
socket_address: { address:, port_value: 10000 }
- filters:
- name: envoy.http_connection_manager
stat_prefix: ingress_http
name: local_route
- name: local_service
domains: ["*"]
- match: { prefix: "/" }
route: { host_rewrite: www.google.com, cluster: service_google }
- name: envoy.router
- name: service_google
connect_timeout: 0.25s
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
hosts: [{ socket_address: { address: google.com, port_value: 443 }}]
tls_context: { sni: www.google.com }

Save the file as envoy.yaml and easily run on a docker container with the command below.

docker run --name=proxy -d \
-p 8080:10000 \
-v $(pwd)/envoy/envoy.yaml:/etc/envoy/envoy.yaml \

After that, all the requests to port 8080 will be proxied to google.com

The static envoy configuration sample is taken from the https://www.katacoda.com/envoyproxy You can find many more helpful examples on there.

We are okay with that. What if we have the application that runs on the Linux machine and requires rollout deployments? To make it possible, we need a proxy that supports on the fly configuration changes like Envoy and Nginx.

Let's look for how we can do that by using the Envoy dynamic configuration method.

Install Envoy on Ubuntu

Instead of using a docker file, another option is running the Envoy proxy directly on the Linux.

Run the following lines to install.

sudo apt-get updatesudo apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-commoncurl -sL 'https://getenvoy.io/gpg' | sudo apt-key add -apt-key fingerprint 6FF974DBsudo add-apt-repository "deb [arch=amd64] https://dl.bintray.com/tetrate/getenvoy-deb $(lsb_release -cs) \
sudo apt-get update && sudo apt-get install -y getenvoy-envoyenvoy --version

Create Linux Service

Create the file named envoy.serviceunder the path /etc/systemd/system

ExecStart=/usr/bin/envoy -c /etc/envoy/envoy.yaml

Envoy Dynamic Configurations

The envoy.yaml file is important. The file is an entry point for Envoy. As seen on ExecStart command above. Envoy never tracking the changes on the file after it started. It is okay. There is no reason to change the file. It is really simple and does not contain any detail.

We will copy all the envoy configuration files to the folder /etc/envoy


The node section is required. Envoy exposes a local administration interface that can be used to query and modify different aspects of the server. There is two dynamic config file provided. One for cluster definitionsand another one for listeners.


The listener_0 configuration listens to port 80 and redirects all the requests to the route definition(/etc/envoy/rds.yaml) named local_route.


The route definition that passes all the requests to the cluster named EnvoyNetCore. The cluster is known from the envoy.yaml file. (/etc/envoy/cds.yaml)


Here is the cluster definition. You can declare more than one cluster on there. Cluster definitions points to endpoint definitions(eds.yaml). Also, at this level, you can configure a circuit breaker for the cluster.


The last part of the configuration file is eds.yaml. This file contains address and port values to call any endpoint we want to include for the cluster.

You can define only one resource item at this point but more than one endpoints can be defined.

You can change these configuration files on the fly but Envoy can’t apply the change until you move the file with the same location & same name. So, create the new configurations as separate files with different names and move the files with the original names to the same path/name of the original ones.

mv /etc/envoy/eds.new.yaml /etc/envoy/eds.yaml

Envoy doesn’t apply any change on the fly if it is not valid.

The end.