Envoy Gateway — How It Works

Gateway API → xDS translation, Envoy fleet management, and policy attachment model.

Request Flow

sequenceDiagram
    participant Client as External Client
    participant LB as Load Balancer
    participant Envoy as Envoy Proxy Pod
    participant EG as Envoy Gateway Controller
    participant K8sAPI as K8s API
    participant Backend as Backend Service

    Note over EG,K8sAPI: Startup / config change
    EG->>K8sAPI: Watch Gateway, HTTPRoute, Policies
    EG->>EG: Translate to xDS config
    EG->>Envoy: Push xDS (gRPC stream)

    Note over Client,Backend: Runtime request
    Client->>LB: HTTPS request
    LB->>Envoy: Forward
    Envoy->>Envoy: TLS termination
    Envoy->>Envoy: Route matching (HTTPRoute rules)
    Envoy->>Envoy: Apply policies (auth, rate limit)
    Envoy->>Backend: Forward to matched backend
    Backend-->>Client: Response

Policy Attachment Model

flowchart TB
    GC["GatewayClass"] --> GW["Gateway\n(listener config)"]
    GW --> HR["HTTPRoute\n(path/header routing)"]
    HR --> Backend_E["Backend Service"]

    CTP["ClientTrafficPolicy"] -.->|"attach to"| GW
    SP_E["SecurityPolicy\n(JWT, OIDC, mTLS)"] -.->|"attach to"| GW
    BTP_E["BackendTrafficPolicy\n(LB, circuit break)"] -.->|"attach to"| HR
    EEP["EnvoyExtensionPolicy\n(Wasm, Ext Proc)"] -.->|"attach to"| HR

    style GW fill:#7b42bc,color:#fff

Sources

• Envoy Gateway Architecture