Envoy extensions overview
This topic provides an overview of Envoy extensions in Consul service mesh deployments. You can modify Consul-generated Envoy resources to add additional functionality without modifying the Consul codebase.
Consul supports two methods for modifying Envoy behavior. You can either modify the Envoy resources Consul generates through escape hatches or configure your services to use Envoy extensions using the
EnvoyExtension parameter. Implementing escape hatches requires rewriting the Envoy resources so that they are compatible with Consul, a task that also requires understanding how Consul names Envoy resources and enforces intentions.
Instead of modifying Consul code, you can configure your services to use Envoy extensions through the
EnvoyExtensions field. This field is definable in
service-defaults configuration entries.
Envoy extensions enable additional service mesh functionality in Consul by changing how the sidecar proxies behave. Extensions dynamically modify the configuration of Envoy proxies based on Consul configuration entries, enabling a wider set of use cases for the service mesh traffic that passes through an Envoy proxy. Consul supports the following extensions:
- External authorization
- OpenTelemetry Access Logging
- Property override
- WebAssembly (Wasm)
ext-authz extension lets you configure external authorization filters for Envoy proxy so that you can route requests to external authorization systems. Refer to the external authorization documentation for more information.
lambda Envoy extension enables services to make requests to AWS Lambda functions through the mesh as if they are a normal part of the Consul catalog. Refer to the Lambda extension documentation for more information.
lua Envoy extension enables HTTP Lua filters in your Consul Envoy proxies. It allows you to run Lua scripts during Envoy requests and responses from Consul-generated Envoy resources. Refer to the Lua extension documentation for more information.
otel-access-logging Envoy extension lets you configure Envoy proxies to send access logs to OpenTelemetry collector service. Refer to the OpenTelemetry Access Logging extension documentation for more information.
property-override extension lets you set and unset individual properties on the Envoy resources that Consul generates. Use the extension instead of escape-hatch overrides to enable advanced Envoy configuration. Refer to the property override documentation for more information.
wasm extension enables you to configure TCP and HTTP filters that invoke custom WebAssembly (Wasm) plugins. Refer to the WebAssembly extension documentation for more information.