Extending the Envoy Proxy With WebAssembly – Container Journal

As the service mesh landscape continues to grow, its underlying technology stack is maturing as well. For example, service mesh advocates are introducing methods to extend Envoy, the open source proxy at the heart of many service meshes.

Pioneered by the teams behind Istio and Gloo, the introduction of WebAssembly into Envoy is enabling engineers to add custom filters, offering new controls and filtering abilities for incoming requests. Standardizing the WebAssembly module format could also retain vendor neutrality in a space with competing agendas.

Having bet big on microservices, API gateways and Envoy-based service mesh, Idit Levine now sees WebAssembly as the next big bet. I recently spoke with Levine, Solo.io founder and CEO, to explore ways to extend Envoy using WebAssembly modules and the growing importance of WebAssembly within this burgeoning field.

To understand WebAssembly, you must first understand Envoy and how it fits into the service mesh framework. Service meshes are typically divided into two main componentsa control plane for configuration and a data plane for routing incoming requests to underlying microservices. Envoy sits within the data plane.

In the Envoy-based service mesh architecture, whenever a request comes in, it always goes through Envoy. Envoy is like a filter chain: It takes incoming requests and barrels them through a series of security and operational tasks including authentication, rate limiting, transcoding and routing. This process happens with every request, no matter if its inter-mesh, ingress or egress traffic.

Open source with a growing tooling community, Envoy has become a staple for many service meshes including Istio, Consul Connect, Maesh and Kuma. I dont think anyone should buy any service mesh or gateway that is not Envoy-based, says Levine.

Yet, Envoy is not perfect. Envoy is very powerful, but it leaves a lot to wish for, she notes. The Envoy filter chain is a compelling layer for organizations to add custom capabilities, but Envoy extensibility is not easy.

There are many reasons a team may want to add custom modules to their Envoy implementation. For example, organizations may wish to insert additional business logic, such as metrics, observability, transformation, data loss prevention, compliance validation or other capabilities.

However, writing and adding custom Envoy modules is a bit tedious. You must program in C++ and recompile in Envoy. Ideally, this process should be open to other programming languages. It should also be fast, safe, easy to use and without the need to recompile.

There have been a few efforts to remedy this issue. In Istio, engineers can extend Mixer with an Adapter using Go. Other service meshes have attempted their own custom filter creation.

These efforts move in the right direction, yet they are still problematic, Levine says. Solutions are still not language-agnostic and they present ease-of-use issues. Can we do something better? she asks. For this, Istio and Solo.io looked to WebAssembly.

WebAssembly (Wasm for short) is a binary instruction format for a stack-based virtual machine. The initiative is maintained by a W3C Community Group, representing a collaboration between all major browsers.

Running Wasm in Envoy involves using a placeholder that developers can insert their extensions into. We wrote a Wasm custom filter and wrote a Wasm model for the Envoy memory, Levine says. An Istio blog post details the proposed setup: The proxy extensions are delivered as WebAssembly modules through a level Application Binary Interface (ABI). The WebAssembly for Proxies specification describes the process in detail.

To the layman, that doesnt sound too approachable. So, to improve developer experience, Solo.io built WebAssembly Hub, a center for sharing and finding Wasm extensions. Like Dockerhub, engineers can browse Wasm extension repositories and deploy them to their Envoy-based service mesh or API gateway.

At the time of writing, WebAssembly Hub hosts 367 repositories and counting, featuring contributions from many community members. Examples include transformation for incoming HTTP requests, appending a header, a Rust filter for additional authentication and many other packages.

To Levine, adding custom Envoy filter modules using Wasm and WebAssembly Hub brings numerous benefits:

Levine is also hoping for more industry cooperation through the WebAssembly module format. Enterprise tech has already weathered through vendor wars in the container, orchestration and service mesh areas. I didnt want that to happen againit isnt healthy for innovation, she says.

Naturally, there are some possible downsides to extending your proxies with Wasm. One foreseeable issue is degradation, notes Levine. Theoretically, you could assemble an Envoy chain with thousands of custom filters. But, every new module added increases the overall processing time.

If overused, filters could significantly increase latency, which could be disruptive for time-sensitive applications, such as financial or medical industry scenarios. You just need to be careful about that and design accordingly, she says.

Wasm use should also depend on your environment. Some scenarios, such as container Wasm in Kubernetes, may not be super beneficial, she adds, reinstating Wasm should be extending proxy technology like Envoy. That is where it is more useful.

The introduction of WebAssembly and WebAssembly Hub presents a streamlined way to add more capabilities to a service meshs data plane. There is already big-name support for WebAssembly, including IBM, Google, CNCF and others.

Still, many players are pushing competing agendas in the API gateway and service mesh market ecosystems. Service mesh marketing permeates the cloud discussion, but customers need technology to back it up, Levine challenges.

One silver lining is the fact that Wasm isnt proposing any detrimental change to a companys existing stack; its simply extending functionality where Envoy lacks. Therefore, its not a technology looking for a problem, she says. Its a solution to a problem.

Related

More:
Extending the Envoy Proxy With WebAssembly - Container Journal

Related Posts
This entry was posted in $1$s. Bookmark the permalink.