Envoy Gateway
Kubernetes-native API gateway built on Envoy Proxy — the reference implementation of the Kubernetes Gateway API.
Overview
Envoy Gateway is a managed control plane for Envoy Proxy that implements the Kubernetes Gateway API standard. It replaces annotation-heavy ingress controllers with declarative, standardized API resources. It is the official CNCF reference implementation for the Gateway API and has expanding into AI gateway capabilities.
Key Facts
| Attribute |
Detail |
| Website |
gateway.envoyproxy.io |
| Stars |
~7k+ ⭐ |
| Latest Version |
v1.7.1 (March 2026); v1.8 ETA late Apr 2026 |
| Language |
Go (control plane), C++ (Envoy data plane) |
| License |
Apache 2.0 |
| Governance |
CNCF (Envoy ecosystem) |
Evaluation
| Pros |
Cons |
| Gateway API reference implementation |
Newer than Nginx/Traefik — smaller community |
| Full Envoy power via declarative CRDs |
Envoy config complexity underneath |
| JWT, OIDC, mTLS, CORS built-in |
Not a full service mesh (east-west) |
| Envoy AI Gateway for LLM routing |
Requires Gateway API understanding |
| Traffic splitting, canary deployments |
|
| Wasm + External Processing extensibility |
|
Architecture
flowchart LR
subgraph K8s["Kubernetes"]
GC["GatewayClass"]
GW["Gateway"]
HR["HTTPRoute /\nGRPCRoute"]
BTP["BackendTrafficPolicy"]
SP["SecurityPolicy"]
end
subgraph EG["Envoy Gateway Controller"]
Translator["API → xDS\nTranslator"]
end
subgraph DP["Data Plane"]
Envoy["Envoy Proxy\nFleet"]
end
GC --> Translator
GW --> Translator
HR --> Translator
BTP --> Translator
SP --> Translator
Translator -->|"xDS"| Envoy
Envoy --> Backend["Backend Services"]
style EG fill:#7b42bc,color:#fff
Policy CRDs
| CRD |
Purpose |
| BackendTrafficPolicy |
Load balancing, circuit breaking, timeouts |
| SecurityPolicy |
JWT, OIDC, mTLS, API keys, CORS |
| ClientTrafficPolicy |
Connection limits, client timeouts, buffers |
| EnvoyExtensionPolicy |
Wasm filters, External Processing |
Sources