Envoy extensions overview
This topic provides an overview of Envoy extensions in Consul service mesh deployments. You can modify Consul-generated Envoy resources to add additional functionality without modifying the Consul codebase.
Introduction
Consul supports two methods for modifying Envoy behavior. You can either modify the Envoy resources Consul generates through escape hatches or configure your services to use Envoy extensions using the EnvoyExtension
parameter. Implementing escape hatches requires rewriting the Envoy resources so that they are compatible with Consul, a task that also requires understanding how Consul names Envoy resources and enforces intentions.
Instead of modifying Consul code, you can configure your services to use Envoy extensions through the EnvoyExtensions
field. This field is definable in proxy-defaults
and service-defaults
configuration entries.
Supported extensions
Envoy extensions enable additional service mesh functionality in Consul by changing how the sidecar proxies behave. Extensions dynamically modify the configuration of Envoy proxies based on Consul configuration entries, enabling a wider set of use cases for the service mesh traffic that passes through an Envoy proxy. Consul supports the following extensions:
- External authorization
- Lua
- Lambda
- OpenTelemetry Access Logging
- Property override
- WebAssembly (Wasm)
External authorization
The ext-authz
extension lets you configure external authorization filters for Envoy proxy so that you can route requests to external authorization systems. Refer to the external authorization documentation for more information.
Lambda
The lambda
Envoy extension enables services to make requests to AWS Lambda functions through the mesh as if they are a normal part of the Consul catalog. Refer to the Lambda extension documentation for more information.
Lua
The lua
Envoy extension enables HTTP Lua filters in your Consul Envoy proxies. It allows you to run Lua scripts during Envoy requests and responses from Consul-generated Envoy resources. Refer to the Lua extension documentation for more information.
OpenTelemetry Access Logging
The otel-access-logging
Envoy extension lets you configure Envoy proxies to send access logs to OpenTelemetry collector service. Refer to the OpenTelemetry Access Logging extension documentation for more information.
Property override
The property-override
extension lets you set and unset individual properties on the Envoy resources that Consul generates. Use the extension instead of escape-hatch overrides to enable advanced Envoy configuration. Refer to the property override documentation for more information.
WebAssembly
The wasm
extension enables you to configure TCP and HTTP filters that invoke custom WebAssembly (Wasm) plugins. Refer to the WebAssembly extension documentation for more information.