Jump to Content
API Management

Announcing API management for services that use Envoy

June 17, 2020
Nandan Sridhar

Product Manager

Dino Chiesa

Customer Engineer, GCP

Among forward-looking software developers, Envoy has become ubiquitous as a high-performance pluggable proxy, providing improved networking and observability capability for increased services traffic. Built on the learnings of HAProxy and nginx, Envoy is now an official Cloud Native Computing Foundation project, and has many fans—including among users of our Apigee API management platform. 

To help you integrate Envoy-based services into your Apigee environment, we’re announcing the Apigee Adapter for Envoy in beta. Apigee lets you centrally govern or manage APIs that are consumed within your enterprise or exposed to partners and third parties, providing centralized API publishing, visibility, governance, and usage analytics. And now, with the Apigee Adapter for Envoy, you can extend Envoy’s capabilities to include API management, so developers can expose the services behind Envoy as APIs. Specifically, the Apigee Adapter for Envoy lets developers:

  • Verify OAuth tokens or API Keys

  • Check API consumer based quota against API Products

  • Collect API usage analytics

Now, with the availability of the Apigee Adapter for Envoy, organizations can deliver modern, Envoy-based services as APIs, expanding the reach of your applications. Let’s take a closer look.

How does it work?

Envoy supports a long list of filters—extensions that are written in C++ and compiled into Envoy itself. The Apigee Adapter for Envoy takes particular advantage of Envoy's External Authorization filter, designed to allow Envoy to delegate authorization decisions for calls managed by Envoy to an external system.

https://storage.googleapis.com/gweb-cloudblog-publish/images/High_level_Architecture.max-2000x2000.jpg
High level Architecture

Here's how the Apigee Adapter for Envoy works: 

  • The consumer or client app accesses an API endpoint exposed by Envoy (1),

  • Envoy passes the security context (HTTP headers) to the Apigee Remote Service (2) 

  • The Apigee Remote Service acts as a Policy Decision Point and advises Envoy to allow or deny  the API consumer access to the requested API (3).

A high-performance system may need to handle thousands of calls per second in this way. To accommodate that, the connection between Envoy and the Apigee Remote Service is based on gRPC, for speed and efficiency. Out of band, the Apigee Remote Service asynchronously polls and downloads its configuration (4), including API Products and API keys (after validation), from the remote Apigee control plane, which can be hosted in a different VPC than the Envoy cluster. 

Compatibility with Istio and Anthos

The Apigee Adapter for Envoy can be used by anyone who uses a standard Envoy proxy, including anyone who uses Istio or Google’s Anthos Service Mesh, getting the benefits of enforcing Apigee API management policies within a service mesh.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Deploy_in_a_Mesh.max-2000x2000.jpg
 Deploy in a Mesh

Comparing Apigee API Gateways

In addition to the Apigee Adapter for Envoy, Apigee also offers two other gateways:

  • Apigee Message Processor, which powers Apigee public cloud, Apigee private cloud, and Apigee hybrid

  • Apigee Microgateway

Here’s a quick comparison to help you distinguish between these gateways and determine when to use which one or more than one together.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Envoy.max-1000x1000.jpg
Click to enlarge

What's next?

Google Cloud’s Apigee is an industry-leading API management platform, and we've continued to expand its capabilities. Now, combining the Apigee Message Processor and Apigee Adapter for Envoy, you can get enterprise-grade API management capabilities . 

Do you use Envoy and want to up your API management game? To get started with the Apigee Adapter for Envoy, visit this page

Posted in