As network functions are fine-grained virtualized, several architectural differences emerge to handle L7 rules and policies on the edge. For instance, large-scale distributed applications mandates low state overhead, while minimizing configuration consumed for greater policy change agility. Application-level routers must closely follow applications to minimize attack surface. These application-level routers are thus expected to have minimal overhead, carry light vCPU and vMem footprints, and also have ability to make independent "edge decisions". Distributing applications to edge opens greater attack surface, and hence authentication, and data encryption policies are assumed before deployment. Effectively, an application edge router must combine various Virtual Network Functions (VNF) functionality (e.g. edge cloud vFW, APT, and vDPI) to effectively be able to achieve a unique distributed application at scale. In addition, such an edge router must act as a gateway for inter-domain routing.
We begin by discussing architectural similarities and differences between a typical network administrative domain routing semantics and a distributed application router that is transplanted to edge cloud. We introduce and showcase Envoy, a lightweight application L7 router that support various application protocols including HTTP, and gRPC. First, we show how Envoy acts as an effective edge traffic handler for L7 rules and policies. Secondly, we discuss Envoy route definition semantics that enables extending them to various other non-HTTP protocols, which are very essential to dynamic policy adaptation in large clusters. Thirdly, we choose a complex multi-cluster deployment, and demonstrate techniques that Envoy uses to act as a routing gateway, enforcing service-to-service control, policing, and telemetry across clusters. In doing so, routing filters are essential, and we use a supported Istio Pilot control-plane to show programmability. In doing so, we demonstrate how Envoy acts as a bump-in-the wire for certain egress services, but defers mTLS processing to the edge for most other services.
