Envoy Gateway

Home Platform Materialisation Envoy Gateway

Platform Engineering · Capability

Envoy Gateway.

Envoy is the right L7 gateway; making it do the right thing is where the work is. Advanced routing, mTLS, rate-limiting, and policy-driven traffic control for production platforms.

Scope

What we do

  • Deploy and operate Envoy Gateway on Kubernetes.
  • Advanced routing: canary, shadow, header-based splits, weighted traffic.
  • mTLS between services without a full service mesh.
  • Rate limiting per API key with a Redis-backed global service.

Practical

Exercises we run

Small, repeatable drills we use on engagements and teach in workshops. Each has a lab setup, step-by-step outline, and measurable output.

mTLS between services without a meshEnvoy-as-sidecar vs Envoy Gateway, trade-offs and a working recipe.
Rate-limit per API key with RedisAdvanced EG RateLimitFilter config with a global rate-limit service backend.
Header-based canary routingSplit traffic on a custom header to send 5% of requests to a new backend.

References

Four L7 gateways and service meshes we compare against

Envoy Gateway is our default — and it's what every other option listed here is effectively measured against. Here's how we decide between it, Linkerd, Istio, and Kong on real engagements.

Project Best for Trade-offs When we reach for it
Envoy Gateway Kubernetes-native L7 gateway with the full Envoy data-plane underneath. First-class support for the Kubernetes Gateway API, weighted/header routing, ext_authz, rate-limit service, and custom filter chains. Newer control plane than Istio's — some advanced features land first in Istio or upstream Envoy. Gateway API vocabulary is still evolving; occasional spec churn between minor releases. Default pick for greenfield L7 gateways where the team wants Envoy's data-plane power without the service-mesh surface area. Pairs cleanly with RKE2 clusters and GitOps toolchains.
Linkerd Lightweight service mesh with a Rust-based micro-proxy (not Envoy). Minimal config, automatic mTLS, and the smallest operational footprint of the three meshes here. Less expressive than Envoy when you need bespoke filters or a non-HTTP protocol. Fewer integrations than Istio for observability / policy vendors. Platforms where mTLS-everywhere is the single most important outcome and the team does not want to learn Envoy's filter chain. Production-safe to hand to a junior operator.
Istio Full-fat service mesh on Envoy — Gateway + sidecars + control plane. Richest policy, telemetry, and multi-cluster story; the reference mesh for large-enterprise deployments. Heaviest footprint and steepest learning curve of any option listed. Upgrade discipline matters — skipping releases hurts. Sidecar overhead is real at thousands of pods. Large platforms already running multiple meshes, regulated industries with mandated telemetry, or teams with dedicated mesh engineers. Rare pick for greenfield.
Kong Gateway API gateway with a mature plugin ecosystem (auth, transforms, rate limiting) and a long-running OSS core. Declarative config via decK; good developer-portal story via Kong Insomnia. Not Envoy — a separate data-plane tradition with OpenResty/NGINX roots. Fewer knobs for advanced L7 filter composition; the plugin ecosystem is the trade-off. API-heavy platforms where the developer portal / plugin story matters more than raw Envoy filter expressiveness. Common when an organisation has Kong elsewhere already.

If the question is "should we run a service mesh at all?", the answer on most engagements under ~50 services is "not yet — use Envoy Gateway at the edge and mTLS between services via cert-manager". Mesh sidecars pay off later, not earlier.

Further reading

More on Envoy.

Workshops we teach + field notes we're writing, all linked back to what you just read. See all workshops → See all field notes →

Workshop

Hands-on: Envoy Gateway advanced — 2-day workshop

mTLS + Gateway API routing + Redis-backed ratelimit service + ext_authz gates + Grafana panels. Two days, production-shape stack.

Scheduling soon →

Field note

Per-API-key rate limiting with a Redis-backed global service

Production-shape global rate limits across N Envoy replicas via the upstream `ratelimit` service + Redis. Includes fail-open vs fail-closed decision drill.

Draft →

Engagement

Hands-on: Envoy Gateway advanced — 2-day workshop

Packaged engagement — we scope, build, and hand over with runbooks, against a specific SLA. Add to cart to request delivery; no price is billed up-front.

Add to engagement →

Neux Ltd

AI Infrastructure · Platform Engineering · London.
Since 2014.

Contact

LinkedIn

Legal

© 2014–2026 Neux Ltd
Registered in England & Wales.