Envoy Gateway Adds HTTP/3, Simplifies Ingress
The Envoy Gateway project is maturing, now implementing and extending the Kubernetes Gateway API to simplify traffic management. The latest build adds support for HTTP/3 and other low-latency transports, making it easier to adopt Envoy for modern API ingress. The project also released a detailed threat model to help architects minimize the attack surface of their cloud-native workloads.
Envoy Proxy, the engine behind Envoy Gateway, originated at Lyft and was open-sourced in 2016. Initially, it served as an API gateway to manage "north-south" traffic (client to service), aiding Lyft's transition from a monolith to microservices by providing deep network observability. Its role in service-to-service "east-west" traffic, synonymous with service meshes, came later. The Envoy Gateway project itself was launched in May 2022 to make Envoy more accessible for these gateway use cases. Despite Envoy's power, its complexity was a barrier to wider adoption for simpler ingress tasks, where NGINX and HAProxy remained dominant. The project aims to provide a simpler API layer and deployment model. This initiative aligns with the evolution of Kubernetes networking, specifically the move from the limited Ingress API to the more expressive and role-oriented Gateway API. The Gateway API was conceived at KubeCon 2019 to standardize advanced traffic management capabilities like header manipulation and traffic weighting, which previously required vendor-specific annotations. The addition of HTTP/3 support is a significant step, leveraging the QUIC protocol to reduce connection latency and improve stability. Unlike its predecessors that run on TCP, HTTP/3 uses UDP, which eliminates head-of-line blocking and provides a smoother experience on mobile or unreliable networks. HTTP/3, which uses TLS 1.3, also enhances security by encrypting more of the transport handshake by default. This built-in encryption helps mitigate certain man-in-the-middle and IP spoofing attacks, a crucial feature for privacy-preserving architectures. Envoy Gateway serves as one of several implementations of the Kubernetes Gateway API, alongside alternatives from providers like NGINX, HAProxy, and Kong. This standardization allows platform teams to manage the underlying infrastructure (the Gateway) while application teams can independently manage their routing rules (HTTPRoutes), improving separation of concerns in large-scale environments.
