Images
>Envoy

Envoy

A high-performance L7 proxy and service mesh data plane for managing, securing, and observing service-to-service traffic.

nginx
nginx
traefik
traefik
kong
kong
openresty
openresty

What is envoy image?

The envoy image runs Envoy Proxy, a modern, high-performance edge and service proxy originally built for cloud-native and microservices architectures. Envoy operates at layer 7 and provides advanced traffic management features such as dynamic service discovery, load balancing, retries, circuit breaking, rate limiting, and fault injection. It natively supports HTTP/1.1, HTTP/2, gRPC, and TLS, and exposes rich metrics and tracing integrations via Prometheus, OpenTelemetry, and other observability systems. Envoy is commonly used as an API gateway, sidecar proxy in service meshes, or as a centralized ingress/egress proxy. In containerized and Kubernetes environments, Envoy is a foundational component of service meshes like Istio and Consul, enabling fine-grained traffic control and deep visibility without modifying application code.

How to use this image

The envoy image is typically run with a static or dynamic configuration file that defines listeners, clusters, routes, and filters. It can be used standalone, embedded in a service mesh, or deployed as an edge proxy.

Run Envoy with a mounted configuration file:

docker run -d -p 10000:10000 -p 9901:9901 \
  -v $(pwd)/envoy.yaml:/etc/envoy/envoy.yaml \
  envoyproxy/envoy:v1.31-latest \
  -c /etc/envoy/envoy.yaml

Example envoy.yaml (simplified):

static_resources:
listeners:
-name:listener_http
address:
socket_address:
address:0.0.0.0
port_value:10000
filter_chains:
-filters:
-name:envoy.filters.network.http_connection_manager
typed_config:
"@type":type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
route_config:
virtual_hosts:
-name:backend
domains: ["*"]
routes:
-match: {prefix:"/" }
route: {cluster:service_backend }
http_filters:
-name:envoy.filters.http.router
clusters:
-name:service_backend
connect_timeout:5s
type:logical_dns
lb_policy:round_robin
load_assignment:
cluster_name:service_backend
endpoints:
-lb_endpoints:
-endpoint:
address:
socket_address:
address:example.com
port_value:80

Envoy listens on application-defined ports (10000 above) and exposes an admin interface on port 9901 for stats and health. Logs are written to stdout. For production, configuration is often managed dynamically via xDS APIs or baked into images for reproducibility.

Image variants

Published under envoyproxy/envoy, the image includes:

  • envoyproxy/envoy:latest – Tracks the newest stable Envoy release; suitable for development and evaluation.
  • envoyproxy/envoy:<version></version> – Version-pinned tags (for example, v1.31.2); recommended for production stability.
  • Distroless variants (when available) – Reduced attack surface with minimal base layers.
  • Multi-architecture builds – Commonly provided for amd64 and arm64 to support diverse clusters.

Envoy releases frequently introduce new filters and protocol features; production environments should pin versions and validate config compatibility during upgrades.

Interested in base images that start and stay clean?

Chat with a product expert