15: Envoy Gateway Advanced Routing & Traffic Management¶

Envoy Gateway is your cluster’s public entry point. In earlier sections, you configured a basic Gateway + HTTPRoute for Search.Api and Checkin.Api. This section now expands into the advanced, production-grade features Envoy provides.

This includes:

• Canary deployments
• Traffic splitting
• Path rewrites & prefix stripping
• Header-based routing
• Rate limiting
• Retries & circuit breaking
• Timeout policies
• CORS configuration
• Request/response header manipulation

This section is foundational for scaling LocalCloudLab services as they evolve.

15.1 Gateway API Advanced Concepts¶

Envoy Gateway fully implements the Kubernetes Gateway API, which is more powerful and future-proof than standard Ingress.

Key resources:

• Gateway               – The load balancer / public entry point
• HTTPRoute            – Routing rules
• ReferencePolicy      – Cross-namespace permission controls
• BackendPolicy        – Per-service behaviors (timeouts, retries, TLS, etc.)
• AuthenticationPolicy – Future addition

Understanding these makes routing predictable and consistent.

15.2 Traffic Splitting (A/B or Canary Releases)¶

Traffic splitting is used for:

✔ Gradual rollouts (canary)
✔ Testing new versions
✔ Blue/Green releases

Example: Split Search API 90/10 between v1 and v2¶

In Kubernetes:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: search-api-route
  namespace: search
spec:
  parentRefs:
  - name: public-gateway
    namespace: envoy-gateway
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /search
    backendRefs:
    - name: search-api-v1
      port: 80
      weight: 90
    - name: search-api-v2
      port: 80
      weight: 10

Envoy automatically distributes traffic by weight.

To gradually shift:

90/10 → 80/20 → 50/50 → 20/80 → 0/100

15.3 Path Rewrite & Prefix Stripping¶

Common scenarios:

• Exposing /api/search externally, but service expects /
• Migrating routes without changing backend code
• Removing versioned prefixes during rollout

Example: Rewrite /search → /¶

rules:
- matches:
  - path:
      type: PathPrefix
      value: /search
  filters:
  - type: URLRewrite
    urlRewrite:
      path:
        type: ReplacePrefixMatch
        replacePrefixMatch: /

Example: Rewrite /api/v1/search → /search¶

replacePrefixMatch: /search

15.4 Header-Based Routing¶

This unlocks role-based routing, mobile vs desktop, partner integrations, etc.

Example: Route users with header X-Device: Mobile to a special backend:

rules:
- matches:
  - headers:
    - name: X-Device
      value: Mobile
  backendRefs:
  - name: search-mobile-api
    port: 80

Or route airline partners by API key:

matches:
- headers:
  - name: X-Partner-Key
    value: ABC123

15.5 Rate Limiting¶

Rate limiting prevents abuse, protects backend services, and allows fair usage.

Envoy supports:

• Global per-route rate limits
• Per-client IP rate limits
• Per-header (e.g., API key) rate limits

Example: Limit Search API to 50 RPS¶

kind: BackendPolicy
metadata:
  name: search-rate-limit
  namespace: search
spec:
  targetRef:
    kind: Service
    name: search-api
  rateLimit:
    requests:
      unit: Second
      value: 50

Example: Per-user rate limiting using request headers¶

rateLimit:
  requests:
    unit: Minute
    value: 200
  key:
    type: Header
    name: X-User-Id

15.6 Retry Policies¶

Retries help with transient failures like database reconnecting or short network issues.

kind: BackendPolicy
spec:
  retry:
    attempts: 3
    perTryTimeout: 2s
    retryOn:
    - gateway-errors
    - connection-failure

Choose retries carefully:

✓ Good for intermittent failures
✗ Bad for consistently failing endpoints (can overload backend)

15.7 Timeout Policies¶

Time-based protections:

• Request timeout
• Idle timeout
• Connection timeout

Example:

timeout:
  request: 15s
  idle: 60s

Search API might need:

• Short timeouts for availability
• Generous timeouts for complex external integrations

15.8 Circuit Breaking¶

Circuit breakers prevent cascading failures by:

• Limiting connections
• Limiting pending requests
• Failing fast when backend is unhealthy

Example:

circuitBreaker:
  maxConnections: 100
  maxPendingRequests: 200
  maxRequestsPerConnection: 50

This protects your cluster from a failing service consuming all resources.

15.9 CORS Configuration¶

CORS should be configured at the Gateway, not per-service.

kind: HTTPRoute
spec:
  rules:
  - filters:
    - type: RequestHeaderModifier
      requestHeaderModifier:
        set:
        - name: Access-Control-Allow-Origin
          value: "*"

Or tighten for production:

- name: Access-Control-Allow-Origin
  value: "https://www.hershkowitz.co.il"

15.10 Request & Response Header Manipulation¶

Useful for:

• Security headers
• Partner integrations
• Adding X-Version, X-Cluster-ID, etc.

Example:

filters:
- type: ResponseHeaderModifier
  responseHeaderModifier:
    add:
    - name: X-Envoy-Gateway
      value: LocalCloudLab

Example: Remove a header:

responseHeaderModifier:
  remove:
  - Server

15.11 Summary of Advanced Routing¶

You now have routing capabilities:

✔ Canary releases
✔ A/B tests
✔ Traffic splitting
✔ Path rewrites
✔ Header-based routing
✔ Rate limits
✔ Retries
✔ Timeouts
✔ Circuit breakers
✔ CORS & header control

Envoy Gateway now behaves like a production-grade API Gateway for the entire LocalCloudLab cluster.

Next section begins automatically:

Section 16 — Logging & Observability (Serilog, Loki, Traces, Correlation IDs)