Envoy WASM Filters in Cloud-Native Environments (eBook)

Chapter 2
Envoy Filter Processing Pipeline

Peek behind the curtain of Envoy’s request and response journey—this chapter spins a detailed narrative of how filters shape, inspect, and control all network traffic. Encounter the lifecycle orchestration, state-sharing subtleties, and orchestration of asynchronous events that empower Envoy and its extensions to enforce modern security, observability, and reliability from the proxy layer.

2.1 HTTP and TCP Filter Chains

Envoy’s filter chain architecture is fundamental to its extensibility and protocol handling capabilities, providing a modular mechanism to process both HTTP and TCP traffic with fine-grained control. Each filter chain consists of a sequence of filters-discrete units of logic that inspect, transform, or otherwise manage network data as it traverses the proxy. Understanding the arrangement, execution flow, and interplay of these filters is essential for leveraging Envoy’s power in observability, security, and traffic control.

At its core, the filter chain for both HTTP and TCP is a pipeline through which network data passes, but the specific layers and invocation mechanisms differ significantly due to the protocol semantics they must accommodate. For HTTP, the focus is on stream-oriented message parsing, decoding, and encoding, whereas TCP deals with byte streams without inherent message boundaries.

Filter Arrangement and Execution Flow in HTTP Proxy

HTTP filter chains consist of two principal categories of filters: decoding filters and encoding filters. Decoding filters operate on inbound HTTP requests, processing data as it is decoded from the raw bytes supplied by the network connection. Encoding filters process outbound HTTP responses, encoding these for transmission.

These filters are arranged in a strict order within the chain. Upon receiving a request, Envoy’s HTTP connection manager decodes the incoming bytes into HTTP request metadata and headers, sequentially passing this information through the decode filters. Each filter can inspect, modify, or halt the progression of the request. After routing and upstream selection, the eventual response traverses the encoding filters in reverse order, allowing symmetrical processing of outbound data.

The HTTP codec layer beneath decodes bytes into structured HTTP objects (headers, data frames, trailers) and invokes the filters accordingly. Envoy also supports stream multiplexing protocols such as HTTP/2 and HTTP/3, where multiple logical streams share a single physical connection. The filter chain executes separately for each stream, enabling concurrent, isolated processing of multiplexed requests.

Filter Chains in TCP Proxying

Unlike HTTP, the TCP filter chain operates on the raw byte stream without inherent parsing of semantic message boundaries. Filters in the TCP chain process data as it flows continuously over the connection, and the concept of decoding and encoding filters does not directly apply. Instead, each TCP filter receives onData callbacks for both read (inbound) and write (outbound) events.

The TCP filter chain is a sequential pipeline where each filter examines or modifies the byte stream before passing it onward. This design allows filters to implement functionality such as protocol detection, payload transformation, or traffic shaping directly on the raw data. Since there is no HTTP codec layer, filters are responsible for interpreting or proxying the byte stream according to their protocol logic.

Role of Decoding, Encoding, and Multiplexing

In HTTP proxying, decoding filters play a pivotal role in extracting routing and policy enforcement information by inspecting requests as they arrive. Encoding filters, conversely, allow response transformations including header injection, modification, or telemetry emission. This separation enables precise control over different phases of the message lifecycle.

Multiplexing is a critical aspect of Envoy’s architecture when dealing with HTTP/2 and HTTP/3. Because multiple streams share a single connection, the filter chain is instantiated per stream, ensuring isolated processing contexts. Filters maintain state per stream, allowing complex operations such as retries, timeouts, or stream-level statistics.

For TCP, since data is not demultiplexed at the protocol level internally by Envoy, multiplexing operations must be implemented externally or via protocol-specific filters that reconstruct sessions or message frames within the byte stream. This fundamental architectural difference underlines the importance of protocol characteristics in determining filter implementations.

Impact of Filter Order on Observability, Security, and Control

The order of filters within the chain profoundly influences Envoy’s behavior. Early-positioned filters see raw data closer to the source or destination, giving them maximum context for security checks, such as authorization, rate limiting, or intrusion detection. For example, filters implementing JSON Web Token (JWT) validation or IP allowlists are placed at the beginning of the decode chain to prevent costly downstream processing for unauthorized requests.

Conversely, filters geared toward observability-metrics collection, logging, tracing-are often placed later, capturing the effects of earlier transformations to provide an accurate picture of client-server interactions. Latency instrumentation filters typically execute near the end of the encoding chain to record precise timings for the final response.

In the TCP filter chain, the linear invocation model means that upstream filters can gate or modify traffic seen by downstream filters, enabling fine control over flow or protocol-specific behaviors. Misordering filters can lead to inefficiencies; for instance, placing expensive protocol parsers before a filter that blocks unwanted traffic wastes resources.

Filter Interaction and Lifecycle

Filters in both chains adhere to a lifecycle comprising initialization, data processing callbacks, and cleanup. During initialization, filters receive callbacks with context information, enabling them to access connection metadata and establish per-connection or per-stream state.

In HTTP, filters expose callbacks such as decodeHeaders, decodeData, and encodeHeaders that the connection manager invokes to process message frames. These callbacks are reentrant per stream and must efficiently manage buffer contents to avoid backpressure or head-of-line blocking.

TCP filters implement onData methods for read and write directions, processing byte buffers and optionally short-circuiting the chain by consuming or generating traffic. Proper buffer management and flow control signaling are critical for maintaining throughput and avoiding deadlocks.

Filters can drive control decisions, including continuing the chain, stopping iteration to await asynchronous operations, or sending immediate local replies. This flexibility empowers complex control planes to implement custom policies tightly woven with runtime data.

Envoy’s HTTP and TCP filter chains embody a versatile yet carefully orchestrated execution model. The precise arrangement and invocation of decoding, encoding, and multiplexing filters govern the efficacy of observability, security, and traffic control functions, forming the backbone of Envoy’s protocol processing architecture.

2.2 Lifecycle of a Filter in Envoy

The lifecycle of a filter in Envoy is a multifaceted process encompassing its instantiation, initialization, configuration parsing, active event handling, and eventual teardown. Filters serve as programmable hooks within the Envoy data plane, enabling extensive customization of network traffic processing. A comprehensive understanding of the filter lifecycle not only elucidates how Envoy achieves its high degree of modularity and performance but also provides crucial insights into effective resource management, extensibility points, and hot-reload strategies.

Instantiation and Registration

Filter instantiation begins during the Envoy bootstrap phase when configuration files or dynamic updates specify filter chains. Each filter is instantiated based on its registered factory. Native Envoy filters leverage the FilterFactory interface, which provides a method to create filter instances configured via the Protobuf-based API. WASM filters, in contrast, instantiate via the Envoy proxy’s Wasm runtime, requiring coordinated loading of Wasm modules and runtime setup before filter creation.

Upon parsing the configuration, Envoy invokes the filter factory to create filter instances tied to individual filter chains. This process involves generating filter state objects and hooking into Envoy’s filter manager structures. The key here is that instantiation is deliberately separated from initialization to allow greater control over resource and dependency management.

Initialization and Configuration Parsing

Once instantiated, a filter undergoes initialization, a critical stage responsible for preparation and validation. This phase involves parsing detailed...