Set up Envoy proxies with HTTP services

This guide demonstrates how to configure Traffic Director with an Envoy proxy-based service mesh, HTTP services, and Mesh and HTTPRoute resources.

Envoy proxies with HTTPRoute and Mesh resources
Envoy proxies with HTTPRoute and Mesh resources (click to enlarge)

Before you begin

Make sure that your deployment meets the prerequisites described in the following guides:

Configure the Mesh resource

Envoy proxies running as sidecars receive their service routing configuration from Traffic Director. The Mesh name is the key that the sidecar proxy uses to request the configuration associated with the Mesh resource. Traffic Director provides the routing configuration to the proxy. The sidecar proxy then directs traffic to the correct backend service, relying on request parameters such as the hostname, headers, and others that are configured in the Route resources.

  1. Create the Mesh resource specification and save it in a file called mesh.yaml.

    name: sidecar-mesh
    interceptionPort: 15001

The interception port defaults to 15001 if you do not specify it in the mesh.yaml file.

  1. Create the Mesh resource using the mesh.yaml specification.

    gcloud network-services meshes import sidecar-mesh \
      --source=mesh.yaml \

After the Mesh resource is created, Traffic Director is ready to serve the configuration, but because there are no services defined yet, the configuration is empty. The next step is to define your services and attachment.

Configure the HTTP server

For demonstration purposes, you create a backend service with autoscaled VMs using managed instance groups as the backends. The VMs serve a hello world phrase, using the HTTP protocol on port 80.

  1. Create the instance template with a helloworld HTTP service on port 80.

    gcloud compute instance-templates create td-httpd-vm-template \
      --scopes= \
      --tags=http-td-server \
      --image-family=debian-10 \
      --image-project=debian-cloud \
      --metadata=startup-script="#! /bin/bash
    sudo apt-get update -y
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype <html><body><h1>'\`$(/bin/hostname)\`'</h1></body></html>' | sudo tee /var/www/html/index.html"
  2. Create a managed instance group based on the template.

    gcloud compute instance-groups managed create http-td-mig-us-east1 \
      --zone=ZONE \
      --size=2 \
  3. Create a health check.

    gcloud compute health-checks create http http-helloworld-health-check
  4. Create a firewall rule to allow incoming health check connections to instances in your network.

    gcloud compute firewall-rules create http-vm-allow-health-checks \
      --network=default \
      --action=ALLOW \
      --direction=INGRESS \
      --source-ranges=, \
      --target-tags=http-td-server \
  5. Create a global backend service with a load balancing scheme of INTERNAL_SELF_MANAGED and add the health check.

    gcloud compute backend-services create http-helloworld-service \
      --global \
      --load-balancing-scheme=INTERNAL_SELF_MANAGED \
      --protocol=HTTP \
      --health-checks http-helloworld-health-check
  6. Add the managed instance group to the backend service. The following example uses the managed instance group you created previously. The VMs in the managed instance group run the sample HTTP service that you created.

    gcloud compute backend-services add-backend http-helloworld-service \
      --instance-group=http-td-mig-us-east1 \
      --instance-group-zone=ZONE \

Set up routing with HTTPRoute

The Mesh resource and services are configured. Connect them with an HTTPRoute resource that associates a hostname with a backend service.

  1. Create the HTTPRoute specification and save it to a file called http_route.yaml.

    You can use either PROJECT_ID or PROJECT_NUMBER.

    name: helloworld-http-route
    - helloworld-gce
    - projects/PROJECT_NUMBER/locations/global/meshes/sidecar-mesh
    - action:
       - serviceName: "projects/PROJECT_NUMBER/locations/global/backendServices/http-helloworld-service"
  2. Create the HTTPRoute resource using the specification in the http_route.yaml file.

    gcloud network-services http-routes import helloworld-http-route \
      --source=http_route.yaml \

Traffic Director is now configured to load balance traffic for the services specified in the HTTPRoute resource across the VMs in the managed instance group.

Create an HTTP client with an Envoy sidecar

You can verify the deployment by creating a client VM with an Envoy sidecar proxy that requests the Traffic Director configuration that was created earlier. The mesh parameter in the gcloud command refers to the Mesh resource that you already created.

  1. Create an instance template.

    gcloud beta compute instance-templates create td-vm-client-template \
      --image-family=debian-10 \
      --image-project=debian-cloud \
  2. Create a VM with an Envoy proxy that is connected to Traffic Director.

    gcloud compute instances create td-vm-client \
      --zone=ZONE \
      --source-instance-template td-vm-client-template
  3. Log in to the VM.

    gcloud compute ssh td-vm-client
  4. Run the curl command to verify HTTP connectivity to the test services.

    curl -H "Host: helloworld-gce"

The command should return a response from one of the VMs in the managed instance group, with its hostname printed to the console.