DEV Community

Alex Spinov
Alex Spinov

Posted on

Envoy Gateway Has a Free API: Here's How to Use It for Cloud-Native Traffic Management

#kubernetes #devops #cloudnative #envoy

What is Envoy Gateway?

Envoy Gateway is an open-source project that provides a simplified API layer on top of the Envoy proxy, designed specifically for Kubernetes-native API gateway use cases. Built by the same team behind Envoy proxy, it implements the Kubernetes Gateway API specification.

Why Envoy Gateway Matters

Traditional API gateways like Kong or NGINX require complex configurations. Envoy Gateway simplifies this with:

  • Native Kubernetes Gateway API support — no custom CRDs needed
  • Automatic Envoy proxy management — Gateway handles the lifecycle
  • Built-in rate limiting, authentication, and TLS — enterprise features out of the box
  • Extensible with EnvoyPatchPolicy — full Envoy xDS access when needed

Quick Start: Install Envoy Gateway 

# Install with Helm
helm install eg oci://docker.io/envoyproxy/gateway-helm \
  --version v1.2.0 -n envoy-gateway-system --create-namespace

# Verify installation
kubectl wait --timeout=5m -n envoy-gateway-system \
  deployment/envoy-gateway --for=condition=Available
Enter fullscreen mode Exit fullscreen mode

Create Your First Gateway 

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
  namespace: default
spec:
  gatewayClassName: eg
  listeners:
    - name: http
      protocol: HTTP
      port: 80
Enter fullscreen mode Exit fullscreen mode

Route Traffic to Your Services 

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: backend-route
spec:
  parentRefs:
    - name: eg
  hostnames:
    - "api.example.com"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api/v1
      backendRefs:
        - name: backend-service
          port: 8080
Enter fullscreen mode Exit fullscreen mode

Add Rate Limiting 

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: rate-limit-policy
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: backend-route
  rateLimit:
    type: Local
    local:
      rules:
        - limit:
            requests: 100
            unit: Minute
Enter fullscreen mode Exit fullscreen mode

Add JWT Authentication 

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: jwt-auth
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: backend-route
  jwt:
    providers:
      - name: auth0
        issuer: https://your-tenant.auth0.com/
        audiences:
          - your-api-audience
        remoteJWKS:
          uri: https://your-tenant.auth0.com/.well-known/jwks.json
Enter fullscreen mode Exit fullscreen mode

Envoy Gateway vs Alternatives

Feature Envoy Gateway Kong NGINX Ingress Istio Gateway
Gateway API Native Plugin Partial Native
Config complexity Low Medium High High
Rate limiting Built-in Plugin Annotation Built-in
mTLS Built-in Enterprise Manual Built-in
Cost Free Free/Enterprise Free/Plus Free

Real-World Use Case

A fintech startup I worked with replaced their Kong + custom rate limiter setup with Envoy Gateway. Result: 60% less YAML, automatic TLS rotation, and the Gateway API standard means no vendor lock-in. Their DevOps team went from 3 days of gateway config per microservice to 30 minutes.

Key Resources

Need help setting up cloud-native infrastructure with verified, production-tested configurations? I build custom automation solutions for DevOps teams. Reach out at spinov001@gmail.com or check out my web scraping tools on Apify.

Top comments (0)