CodersSecret

Module 3 of 8

Plain Envoy as the Central Front Door

Route product traffic through a single Envoy edge before adding auth filters.

80 minutes1 exercisesFree
Watch as Slides Course overviewInline lab below

Start here

Learning objectives

  • Read a plain Envoy listener, route, and cluster configuration
  • Understand where HTTP filters run in the request path
  • Map Kubernetes services to Envoy clusters
  • Prepare a safe place to add JWT and external authorization filters
Plain Envoy as the Central Front Door A central Envoy edge checks identity before traffic reaches product services. Client browser or service Envoy enforcement point Routes IdP or policy service when needed Apps Kubernetes app Authenticate once, validate every request, authorize before forwarding.

Why Start Without Auth?

Before adding security filters, you need to know where traffic enters, which route matches, and which upstream service receives the request. If routing is confusing, auth debugging becomes painful.

Plain Envoy Pieces

  • Listener: where Envoy accepts traffic.
  • HTTP connection manager: the HTTP processing pipeline.
  • Route: how a path such as /dashboard maps to a product service.
  • Cluster: the upstream service Envoy forwards to.
  • HTTP filters: the ordered checks that run before routing, such as JWT authn, ext_authz, and router.

Starter Envoy YAML

This is a small teaching config. It shows where product routes and filters live; a production config should be generated, reviewed, and deployed through your platform pipeline.

static_resources:
  listeners:
  - name: product_edge
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 8080
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: product_edge
          route_config:
            name: product_routes
            virtual_hosts:
            - name: products
              domains: ["*"]
              routes:
              - match: { prefix: "/dashboard" }
                route: { cluster: dashboard_service }
              - match: { prefix: "/data" }
                route: { cluster: data_explorer_service }
          http_filters:
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: dashboard_service
    connect_timeout: 1s
    type: STRICT_DNS
    load_assignment:
      cluster_name: dashboard_service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: { address: dashboard.default.svc.cluster.local, port_value: 8080 }

Where Auth Filters Go

Auth filters must run before the router filter. If the router runs first, the request reaches the product before identity and policy checks happen. The normal order is JWT validation, external authorization if needed, then router.

Kubernetes Deployment Shape

In Kubernetes, Envoy can run as an ingress-like edge deployment, a dedicated gateway, or part of a larger platform entry layer. This course uses a plain Envoy gateway mental model so you can understand the filters before adding a service mesh or managed gateway.

Real world

Where this shows up

  • A Kubernetes platform with many internal products that should share one login and one enforcement layer
  • Developer portals, data tools, admin consoles, APIs, and service-to-service calls protected at the edge
  • Migration from product-specific auth logic to centralized policy checks without rewriting every product first

Production notes

Keep these close

  • Treat Envoy config as production code with review, tests, and rollback
  • Use generated config or templates when many products share the same auth pattern
  • Expose per-route metrics so auth failures can be traced to the product route

Common mistakes

What usually breaks

  • Adding auth filters after the router filter
  • Using broad prefix routes that accidentally match sensitive admin paths
  • Debugging auth before proving the route and cluster work

Security risks

Threats to watch

  • A route accidentally missing filters can bypass central auth
  • A catch-all route can expose internal services if not reviewed
  • Headers from the client can spoof identity if Envoy does not remove and rewrite trusted headers

Tradeoffs

Design choices you should be able to defend

One shared Envoy gateway

Pros

  • Simple mental model
  • Consistent platform policy
  • Easy to audit central filters

Cons

  • Gateway config can become large
  • Requires strong ownership and change control

Per-product Envoy gateways

Pros

  • Product teams can ship independently
  • Smaller configs

Cons

  • Policy drift is easier
  • More gateways to patch and observe

Think like an engineer

Questions to answer before shipping

  • Which identity is making the request: a human, a service, or a federated cloud principal?
  • Which check belongs at Envoy, and which check must remain inside the product domain model?
  • What happens when the identity provider, JWKS endpoint, or auth service is slow or unavailable?

Key terms

Vocabulary used in this module

Listener

The network address and port where Envoy accepts incoming traffic.

Route

An Envoy rule that maps request paths or hosts to upstream clusters.

Cluster

An upstream service group that Envoy can send traffic to.

HTTP filter

A processing step in Envoy that can inspect, reject, modify, or forward HTTP requests.

Exercises

Practice inside the lesson

35-45 minutesBeginner

Annotate the Envoy Request Path

Label every part of a basic Envoy config and explain how a request reaches a Kubernetes product.

  1. Circle the listener port
  2. Underline the two product routes
  3. Mark the router filter as the final filter
  4. Draw dashboard.default.svc.cluster.local as an upstream Kubernetes service
  5. Write where JWT and ext_authz filters should be inserted

Recap

Key takeaways

  • Plain Envoy routes traffic through listeners, filters, routes, and clusters
  • Auth filters run before the router filter
  • Understanding routing first makes auth debugging much easier

Related resources

Keep learning across CodersSecret

Related guides

Read practical engineering walkthroughs that connect this lesson to real systems.

Cheatsheets

Keep command references and production checklists close while you practice.

Interactive labs

Practice infrastructure decisions through short, scenario-driven exercises.

Glossary terms

Build the vocabulary needed to explain architecture clearly in reviews.