Communicate with downstream envoy behind private network from Upstream Envoy
I just opened this issue on envoy but feel the stackOverflow community can add value.
See Diagram for better understanding:
Also See the link to wireguard achieving something similiar below:
Title: Is it possible from the downstream envoy to establish a connection with the upstream, from the upstream service to send a tcp request to a service behind the downstream envoy without exposing the downstream envoy to a public IP/Port.
Description: In my scenario, I have a central envoy (Upstream) that contains a management service. This management service is meant to connect to multiple clusters. Each cluster is behind a private network with the only option engress with no ingress option for envoy.
This StackOverflow describes the senario very well:
For a hybrid-cloud use-case we are looking into the suitability of EnvoyProxy to act as a solution to move data across an on-premise firewall. The intended setup is as follows:
App A is located in an on premise network with no direct outbound or inbound Internet connection
App B is located on the cloud
An envoy proxy (PC) is placed in the cloud
An envoy proxy (PA) is placed in the on-premise network, and configured to allow outbound network connection to PC
PA creates a open bi-directional authenticated TLS connection to PC, effectively creating a tunnel between them
App B invokes an API endpoint at PC, which gets routed to PA over the open TLS connection, and forwarded by PA to App A
Routing data with Envoy to upstream clusters is well documented. However, we are wondering if Envoy is able to setup a TLS connection between two proxy instances and use that channel in both directions. The constraint is that this TLS connection can be setup from one direction (outbound) only.
We want the management service to make requests to applications over HTTP or TCP.
I have been looking into the TCPProxy option that is described in the video in stackOverflow but I am struggling to find the target needed to communicate with the downstream server.
I have also been following the examples in the Sandbox documentation but my issue is that I am not looking to setup a streaming connection but a way to tunnel the two networks so their accessable.
I have been struggling with the understanding due to limited explaination in the docs.
Things I have looked into are and tried a few of the sandboxes examples they give.
WebSocket is a one to one streaming and does not allow reverse proxy to multiple services.
I have read that Envoy Connect/TCPProxy could be a solution, I tried this but struggled to find an endpoint to the DownStream Cluster that is connected to the listener on the Upstream server.
TCP Proxy The TCP proxy filter performs basic 1:1 network connection proxy between downstream clients and upstream clusters. It can be used by itself as an stunnel replacement
This explains its possible. but how?
Any advise would be highly apprichiated.
[optional Relevant Links:]
It turns out that envoy does not support a multi direction tunnel.
Alternative is a solution like Teleport.
Details in the linked Github issue page
- Tried to use the new envoy.resource_monitors.downstream_connections parameter in Envoy version 1.30.2 but it's failing
- Start consuming kafka messages after Envoy Sidecar becomes ready
- How to create prefix matches in Istio VirtualService for substring paths
- How do I integrate envoy as a gateway, auth0 as an authentication system and OPA as an authorization system?
- How does the protoregistry.GlobalTypes load the types?
- Why do we need to initiate Tracing in Envoy as it has had x-request-id
- Helm install fails on K3s : ensure CRDs are installed first
- Modify AccessLog for custom requests in Istio
- Tell envoyproxy to not override existing cookies
- How to wait until EXTERNAL-IP is assigned?
- Can HTTP/2 CONNECT be used as a reverse tunnel?
- Enable TLS for my upstream gRPC cluster in Envoy
- How to debug an EnvoyFilter in Istio?
- Python gRPC client error - Cannot check peer : missing selected ALPN property
- Can envoy header x-envoy-upstream-rq-timeout-ms be used in curl directly?
- How to make an Istio EnvoyFfilter apply to two different workloads using workloadSelector
- Customizing Istio metrics results in duplicated metrics
- How to unmarshal protobuf header on envoy
- Can istio exclude POD from the load balancing by latency?
- envoy: grpc-web takes a few requests until it no longer times out
- ALPN negotiation error from gRPC Server on java gRPC client using envoy proxy in the middle
- Can't get Python GCP Cloud Run gRPC service to respond
- Envoy with AWS E2C instance. "No healthy upstream" error
- Laravel Envoy with Laravel Sail problem - envoy not running
- Http response at 400 or 500 level
- Unable to make lua-based EnvoyFilter to work
- Safe Regex not working for External Authorization Filter in Envoy
- Istio | Envoy Proxy Problem: 0 NR filter_chain_not_found | TCP - Python Socket Client and Socket Server in one cluster (MESH_INTERNAL)
- Envoy dynamic routing
- How to handle a gRPC-web unary call backend behind Envoy in Vue.js with protobuf-ts?