Internal Listener

How it works

This extension contains 2 major components to add a listener with an Envoy internal address and to create a client connection to that listener

envoy.bootstrap.internal_listener

This bootstrap extension is required to support looking up the target listener via an envoy internal address on each worker threads.

network.connection.client.envoy_internal

It is a client connection factory. The factory is implicitly instantiated by the dispatcher to establish a client connection to an internal listener address. This client connection factory is installed automatically when envoy.bootstrap.internal_listener is specified.

Internal upstream transport

Internal upstream transport extension enables exchange of the filter state from the downstream listener to the internal listener through a user space socket. This additional state can be in the form of the resource metadata obtained from the upstream host or the filter state objects.

This extension emits the following statistics:

Name

Type

Description

no_metadata

Counter

Metadata key is absent from the import location.

Example config

Below is a smallest static config that redirect TCP proxy on port 19000 to the TCP proxy binding to the internal address.

static_resources:
  listeners:
  - name: outbound_tcp_svc_19000
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 19000
    filter_chains:
    - filters:
      - name: tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          cluster: bridge_internal_listener
          stat_prefix: svc_tcp_proxy
  - name: singleton_internal_encap
    address:
      envoy_internal_address:
        server_listener_name: singleton_internal_encap
    filter_chains:
    - filters:
      - name: tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          cluster: singleton_internal_encap
          stat_prefix: encap_tcp_proxy
  clusters:
  - name: bridge_internal_listener
    connect_timeout: 3600s
    type: STATIC
    load_assignment:
      cluster_name: "bridge_internal_listener"
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              envoy_internal_address:
                server_listener_name: singleton_internal_encap
    transport_socket:
      name: envoy.transport_sockets.raw_buffer
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer
  - name: singleton_internal_encap
    connect_timeout: 3600s
    type: STATIC
    load_assignment:
      cluster_name: "singleton_internal_encap"
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 0.0.0.0
                port_value: 19001
bootstrap_extensions:
- name: envoy.bootstrap.internal_listener
  typed_config:
    "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
layered_runtime:
  layers:
  - name: enable_internal_address
    static_layer:
      envoy.reloadable_features.internal_address: true

Real world use cases

Encap HTTP GET requests in a HTTP CONNECT request

Currently Envoy HTTP connection manager cannot proxy a GET request in an upstream HTTP CONNECT request. This requirement can be accomplished by setting up the upstream endpoint of HTTP connection manager to the internal listener address. Meanwhile, another internal listener binding to the above listener address includes a TCP proxy with tunneling config.

Decap the CONNECT requests

There are some complicated GET-in-CONNECT requests across services or edges. In order to proxy the GET request within Envoy, two layer of HTTP connection manager is demanded. The first HHTTP connection manager layer extract the TCP stream from a CONNECT request and redirect the TCP stream to the second HTTP connection manager layer to parse the common GET requests.