External Authorization

The external authorization network filter calls an external authorization service to check if the incoming request is authorized or not. If the request is deemed unauthorized by the network filter then the connection will be closed.


It is recommended that this filter is configured first in the filter chain so that requests are authorized prior to rest of the filters processing the request.

The content of the request that are passed to an authorization service is specified by CheckRequest.

The network filter, gRPC service, can be configured as follows. You can see all the configuration options at Network filter.


A sample filter configuration could be:

  - name: envoy.ext_authz
    stat_prefix: ext_authz
        cluster_name: ext-authz

  - name: ext-authz
    type: static
    http2_protocol_options: {}
      - socket_address: { address:, port_value: 10003 }


The network filter outputs statistics in the config.ext_authz. namespace.

Name Type Description
total Counter Total responses from the filter.
error Counter Total errors contacting the external service.
denied Counter Total responses from the authorizations service that were to deny the traffic.
failure_mode_allowed Counter Total requests that were error(s) but were allowed through because of failure_mode_allow set to true.
ok Counter Total responses from the authorization service that were to allow the traffic.
cx_closed Counter Total connections that were closed.
active Gauge Total currently active requests in transit to the authorization service.