CNCF-hosted Co-located Events North America 2024

In this session, attendees will receive an in-depth analysis of effects and ways to make Envoy resilient to sudden increases in load. An analysis of last year's industry-wide CVE HTTP/2 'Rapid Reset' DDoS attack will illustrate practical implementation of mitigation measures. The session will further describe features developed in Envoy to defend against resource starvation. This includes system-level configuration practices and recent advancements in Envoy's overload manager designed to make Envoy resilient to spiky traffic.

In this talk, we will guide you through our journey of developing an enterprise-grade, multi-tenant Clientless Zero Trust Network Access (ZTNA) proxy using Envoy. Our proxy operates across more than 30 data centers and can handle up to 4.5 Gbps per client connection. Join us as we reflect on various topics, including the decision to choose Envoy, the advantages of running Envoy on top of VPP, the challenges of supporting over 10k upstream destinations, and the decision to move away from WASM. Finally, we will conclude the talk by discussing new use cases we are planning to implement using Envoy.

This discussion shows a framework that integrates a VPN Concentrator with Envoy-based Secure Access Service Edge (SASE) proxy, leveraging APIs for configuration and management of network functions within containers. This is designed to dynamically scale. The VPN Concentrator (VPNC) establishes secure IPSec tunnels that encapsulate data traffic, providing privacy and protection against threats. As no. of tenants or volume of traffic increases, the need for additional VPNCs, IPSec tunnels and proxies arise. The SASE proxy is a network filter at the edge, enforcing security policies, optimizing traffic flow, providing a zero-trust network access to cloud based services. Number of proxies is changed as a ratio-based scaling approach to IPSec tunnels or tenants based on metrics like : • Throughput • Latency • Error rates • Active, denied connections • Security breaches • No. of active user sessions. • No. of route changes for loadbalancing • Envoy utilization with/without optimizations

As cloud-native applications evolve, the need for flexible and customizable service proxies grows. Envoy Proxy, known for its robust features and extensibility, is a key player. However, integrating custom extensions into Envoy can be complex. In this session, we will show how Envoy Gateway simplifies adding custom extensions to Envoy. Presented by the maintainer of Envoy Gateway and the author of “EnvoyExtensionPolicy,” attendees will gain insights into the data-plane extension mechanism of Envoy Gateway, with practical examples and use cases.

Key takeaways include:

• Understanding the core concepts and architecture of Envoy Gateway. 
• Step-by-step guidance on developing and integrating custom Envoy extensions.
• Best practices for deploying and managing Envoy with custom extensions in a production environment.
• Real-world use cases demonstrating the benefits of custom extensions in various scenarios.

The Envoy external processing only supports 1x1 body streaming, which is, Envoy sends one chunk of body to the side stream server. The side stream server mutates the received body, then sends the mutated body back to Envoy as the response. This 1x1 requirement becomes a bottleneck for certain use cases like compression, in which the side stream server has to buffer M chunks of data before processing them. After processing, it needs to split the response data into N chunks and send them back one-by-one. Such MxN streaming is not supported in the 1x1 state machine, which greatly limits Envoy's external processing capability. Proposed MxN Algorithm: An API change is added to notify Envoy that there are more response chunks coming back corresponding to a request chunk. Envoy utilizes this API to process the received response and prepare its state machine to receive next chunks. Continue the MxN data streaming as data arrives. Config knob is added for security considerations.

How far can Envoy be taken as an edge proxy? What if your downstream clients are not using HTTP? As a case study for Envoy’s use as a layer four edge proxy, this talk presents how Envoy is being used at Bloomberg to provide connectivity for enterprise clients across a range of protocols using TCP including FIX, MQ, and SFTP. It discusses the challenges of managing decades-old connectivity endpoints with an aggressive SLA.
Do you operate in an environment where the security of the system is paramount? Of course you do. The combination of Envoy with SPIRE creates a strong security posture from day one. With flexible deployment options from containers on the cloud to virtual machines on-prem, this talk demonstrates how it is all possible.

Last year, I explored troubleshooting Envoy and Kubernetes issues using Ksniff, highlighting its benefits. Building on that, this session will provide a deep dive into Envoy metrics, crucial for understanding network behaviors when Envoy is involved. We’ll examine how these metrics can be instrumental in diagnosing issues within the service mesh, offering multiple approaches to enhance your operational insights.

Join us onsite for drinks and appetizers with fellow co-located attendees from Tuesday's CNCF-hosted Co-located Events.

Attendees from all CNCF Co-located Events are welcome.