Skip to main content
logoTetrate Istio SubscriptionVersion: Next

Deploy Envoy Gateway as Ingress Gateway and Waypoint Proxy in Ambient Mesh

This document describes how to deploy Envoy Gateway as both an Ingress Gateway and a Waypoint Proxy in an Ambient Mesh. By following these steps, you can leverage Envoy Gateway's capabilities for managing ingress traffic and providing Layer 7 routing and policy enforcement within the ambient mesh architecture.

Note: Envoy Gateway can function as Ingress Gateway, Waypoint Proxy, or both simultaneously. In this guide, we will demonstrate how to set up Envoy Gateway to perform both roles.

Prerequisites

  • A Kubernetes cluster with Istio installed and configured in Ambient Mode. If you haven't set up Istio in Ambient Mode yet, refer to the Migration to Ambient Mode guide.
  • kubectl and helm command-line tools installed and configured to connect to your cluster.
  • Basic understanding of Istio, Envoy Gateway, and Kubernetes Gateway API.

Step 1: Install Envoy Gateway

Please follow the Envoy Gateway installation guide to install Envoy Gateway in your Kubernetes cluster. To ensure it functions correctly as a waypoint proxy in Ambient Mode, make sure to set the deployment type to GatewayNamespace during installation.

helm install teg ${REGISTRY}/teg-envoy-gateway-helm \
--version ${CHART_VERSION} \
--set gateway-helm.config.envoyGateway.provider.kubernetes.deploy.type=GatewayNamespace \
-n envoy-gateway-system --create-namespace

Step 2: Install Bookinfo Demo Application

To demonstrate the functionality of Envoy Gateway as an Ingress Gateway and Waypoint Proxy, we'll use the Bookinfo demo application.

First, label the default namespace to enable Ambient Mode:

kubectl label namespace default istio.io/dataplane-mode=ambient

Next, deploy the Bookinfo application:

cd ${ISTIO_INSTALL_DIR}
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

Step 2: Configure Envoy Gateway as Ingress Gateway

To configure Envoy Gateway as an Ingress Gateway, create a Gateway resource that defines how external traffic should be routed into the mesh. Below is an example configuration:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
istio.io/dataplane-mode: ambient
name: bookinfo-ingress
spec:
gatewayClassName: teg
listeners:
- name: ingress
port: 80
protocol: HTTP

We'll also create an HTTPRoute resource to route incoming requests to the productpage service of the Bookinfo application:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: ingress-bookinfo
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: bookinfo-ingress
rules:
- backendRefs:
- group: ""
kind: Service
name: productpage
port: 9080

Then, you can access the Bookinfo application through the Envoy Gateway's external IP address. Open your web browser and navigate to http://<EXTERNAL-IP>/productpage to see the Bookinfo application.

Step 3: Configure Envoy Gateway as Waypoint Proxy

Since waypoint proxies may have different configurations compared to ingress gateways, we will create a separate GatewayClass for waypoint proxies. Below is an example configuration for the GatewayClass:

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: eg-waypoint
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: waypoint
namespace: envoy-gateway-system

Create a EnvoyProxy resource to define the configuration for the waypoint proxy:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: waypoint
namespace: envoy-gateway-system
spec:
provider:
type: Kubernetes
kubernetes:
envoyService:
type: ClusterIP
patch:
type: StrategicMerge
value:
spec:
ports:
# HACK:zTunnel currently expects the HBONE port to always be on the Waypoint's Service
# This will be fixed in future PRs to both istio and zTunnel.
- name: fake-hbone-port
port: 15008
protocol: TCP
targetPort: 15008

The 15008 port is actually not used in this setup, but it is required by zTunnel to recognize the waypoint proxy. This is a known issue and will be fixed in future Istio releases.

Next, create a Gateway resource for the waypoint proxy:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
istio.io/dataplane-mode: ambient
name: reviews-waypoint
spec:
gatewayClassName: eg-waypoint
listeners:
- name: reviews
port: 9080
protocol: HTTP

We'll also create an HTTPRoute resource to route traffic to the reviews service of the Bookinfo application:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: reviews
spec:
hostnames:
- reviews
- reviews.default
- reviews.default.svc.cluster.local
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: reviews-waypoint
rules:
- backendRefs:
- group: ""
kind: Service
name: reviews
port: 9080

Finally, we need to add an label to the reviews service to specify that it should use the waypoint proxy for Layer 7 traffic:

apiVersion: v1
kind: Service
metadata:
labels:
app: reviews
service: reviews
istio.io/use-waypoint: reviews-waypoint
name: reviews
spec:
ports:
- name: http
port: 9080
protocol: TCP
targetPort: 9080
selector:
app: reviews

With this configuration, the reviews service will route its Layer 7 traffic through the Envoy Gateway waypoint proxy, allowing for advanced routing and policy enforcement.

Open your web browser and navigate to http://<EXTERNAL-IP>/productpage to see the Bookinfo application. In the log of the waypoint proxy, you can see the traffic to the reviews service being routed through the waypoint proxy.

kubectl logs -l gateway.envoyproxy.io/owning-gateway-name=reviews-waypoint -c envoy --tail 1

{":authority":"reviews:9080","bytes_received":0,"bytes_sent":358,"connection_termination_details":null,"downstream_local_address":"10.244.0.19:9080","downstream_remote_address":"10.244.0.17:54117","duration":16,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":200,"response_code_details":"via_upstream","response_flags":"-","route_name":"httproute/default/reviews/rule/0/match/0/reviews","start_time":"2025-06-30T06:26:49.054Z","upstream_cluster":"httproute/default/reviews/rule/0","upstream_host":"10.244.0.14:9080","upstream_local_address":"10.244.0.19:37302","upstream_transport_failure_reason":null,"user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36","x-envoy-origin-path":"/reviews/0","x-envoy-upstream-service-time":null,"x-forwarded-for":"10.244.0.17","x-request-id":"47a3520f-bf6d-40dc-9d7a-6aa4dcddd5b1"}

Envoy Gateway Policies

You can apply various Istio policies to the Envoy Gateway to enhance security and traffic management at both the ingress gateway and waypoint proxy levels. Here are some examples:

OIDC Authentication at Ingress Gateway

Follow the OIDC Authentication guide to set up OIDC authentication at the ingress gateway. This will ensure that only authenticated users can access the Bookinfo application. You can use any OIDC provider, such as Google, AWS, Okta, KeyCloak or Auth0. The following is an example configuration using AWS Cognito as the OIDC provider:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: oidc-example
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: ingress-bookinfo
oidc:
provider:
issuer: https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_ewsdqjtaD
clientID: 3su394h1en0hpdfd86lddh9fkd
clientSecret:
name: my-app-client-secret
redirectURL: https://www.example.com/productpage/oauth2/callback
logoutPath: /productpage/logout
forwardAccessToken: true
jwt:
providers:
- name: aws-cognito
issuer: https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_ewsdqjtaD
remoteJWKS:
uri: https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_ewsdqjtaD/.well-known/jwks.json
authorization:
defaultAction: Deny
rules:
- action: Allow
name: allow
principal:
jwt:
scopes: [openid]
claims:
- name: username
valueType: String
values:
- 89eed458-a031-70a2-f079-21ce7ccae5f0
provider: aws-cognito

This configuration will require users to authenticate using AWS Cognito before accessing the Bookinfo application. It also enforces authorization based on the scope and claims in the JWT token.

Please note that the configuration above is just an example. You will need to replace the issuer, clientID, clientSecret, and redirectURL with your own values from your OIDC provider.

Then, you can access the Bookinfo application through the Envoy Gateway's external IP address. Open your web browser and navigate to https://<EXTERNAL-IP>/productpage. You will be redirected to the AWS Cognito login page. After logging in, you will be redirected back to the Bookinfo application.

Local Rate Limiting at Waypoint Proxy

Apply local rate limiting to control the rate of requests to the reviews service:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: reviews-rate-limiting
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: reviews
rateLimit:
type: Local
local:
rules:
- limit:
requests: 3
unit: Minute

Open your web browser and navigate to http://<EXTERNAL-IP>/productpage to see the Bookinfo application. If you refresh the page more than 3 times in a minute, , you will see that the reviews are not displayed. Instead, you will see a message "Sorry, product reviews are currently unavailable for this book."

Look at the Envoy Gateway waypoint proxy's logs, you can see that the request is rate limited:

kubectl logs -l gateway.envoyproxy.io/owning-gateway-name=reviews-waypoint -c envoy --tail 1

{":authority":"reviews:9080","bytes_received":0,"bytes_sent":18,"connection_termination_details":null,"downstream_local_address":"10.244.0.19:9080","downstream_remote_address":"10.244.0.17:54253","duration":0,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":429,"response_code_details":"local_rate_limited","response_flags":"RL","route_name":"httproute/default/reviews/rule/0/match/0/reviews","start_time":"2025-06-30T06:26:56.063Z","upstream_cluster":"httproute/default/reviews/rule/0","upstream_host":null,"upstream_local_address":null,"upstream_transport_failure_reason":null,"user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36","x-envoy-origin-path":"/reviews/0","x-envoy-upstream-service-time":null,"x-forwarded-for":"10.244.0.17","x-request-id":"8b6f06bd-dbf7-4df9-b314-80931bbc878b"}

What's Next?

All the Envoy Gateway's Layer 7 features are available at both the Ingress Gateway and Waypoint Proxy levels, including the Gateway API features, Envoy Gateway's ClientTrafficPolicy, BackendTrafficPolicy, SecurityPolicy, and EnvoyExtensionPolicy. You can follow the Envoy Gateway's documentation to try them out.