Network

For a list of available Network filters, see Envoy Network Filters.

Configuration Overview

Network filters are configured in Grey Matter Control API on a per-Listener basis.

Unlike HTTP filters, Network filters may not be configured in a Proxy object in order to apply to multiple listeners. Instead, each Listener must have its own Network filter configuration.

Example Configuration

To edit the Listener object, run:

greymatter edit listener <listener-key>

The following is an example of configuring a Network filter in a Listener object by specifying values in two of its fields -- the active_network_filters field and the network_filters field:

{
"zone_key": "default-zone",
"listener_key": "listener2",
"name": "listener2",
"domain_keys": [
"domain1"
],
"ip": "0.0.0.0",
"port": 8080,
"protocol": "http_auto",
"active_network_filters": [
"envoy.tcp_proxy"
],
"network_filters": {
"envoy_tcp_proxy": {
"stat_prefix": "tcp_proxy",
"cluster": "tcp_proxy"
}
}
}

This configuration tells the corresponding Grey Matter Proxy to enable the envoy.tcp_proxy filter for its listener2 Listener only.

Note that the keys in the active_network_filters array use a period following their prefix, while the network_filters object uses underscores all the way through.

Known Ordering Dependencies

The following Network filters must not be configured together, and the one that is selected must be configured last in the active_network_filters array:

  • TCP Proxy Filter

  • Dubbo Proxy Filter

  • Echo Filter

Otherwise, Grey Matter Proxy will reject the Listener configuration update.

Envoy Network Filters

To learn how to enable any of the Envoy Network filters in the Fabric mesh, refer to the Network Filters configuration overview.

The following table lists all Envoy Network filters that may be configured. Some general information on each filter is available; otherwise please refer to the Envoy documentation. Also, some Envoy filters have been excluded due to being marked by Envoy as experimental.

Note that the Active Filter Name is a simplified form of the name used in Grey Matter Proxy (e.g. envoy.header_to_metadata is used in place of envoy.filters.http.header_to_metadata).

Available Network Filters

Filter

Active Filter Name

Guide

Envoy documentation

Mongo Proxy

envoy.mongo_proxy

#mongo-proxy

External Link

Rate Limit

envoy.rate_limit

#rate-limit

External Link

Redis Proxy

envoy.redis_proxy

#redis-proxy

External Link

Role Based Access Control

envoy.rbac

#role-based-access-control

External Link

TCP Proxy

envoy.tcp_proxy

#tcp-proxy

External Link

SNI Cluster

envoy.sni_cluster

#sni-cluster

External Link

Client TLS

envoy.client_ssl_auth

#client-tls

External Link

External Authorization

envoy.ext_authz

#ext-authz

External Link

Local Rate Limit

envoy.local_rate_limit

#local-rate-limit

External Link

Dubbo Proxy

envoy.dubbo_proxy

#dubbo-proxy

External Link

Kafka Broker

envoy.kafka_broker

#kafka-broker

External Link

Echo

envoy.echo

#echo

External Link

Mysql

envoy.mysql_proxy

#Mysql

External Link

Zookeeper

envoy.zookeeper_proxy

#zookeeper-proxy

External Link

Thrift

envoy.thrift_proxy

#thrift-proxy

External Link

Direct Response

envoy.direct_response

#direct-response

External Link

Postgres

envoy.postgres_proxy

#postgres-proxy

External Link

RocketMQ

envoy.rocketmq_proxy

#rocketmq-proxy

External Link

Mongo Proxy

A MongoDB sniffing filter that does MongoDB wire format BSON parsing and provides detailed MongoDB operation statistics. It also supports fault injection. It relies on the TCP Proxy filter for its connection.

Rate Limit

Integrates with a global gRPC rate limiting service such as Envoy's reference implementation to control throughput throughout the Fabric mesh by preventing downstream hosts from overwhelming upstream clusters. It relies on the TCP Proxy filter for its connection.

Redis Proxy

Enables Envoy as a Redis proxy, partitioning commands among instances in a Redis cluster. It also supports active and passive health checking, hash tagging, prefix routing, downstream client and upstream server authentication, and request mirroring. Many future enhancements are also being planned.

Role Based Access Control

Allows or denies actions (permissions) by identified downstream clients (principals). It supports configuration using either a safe-list (ALLOW) or block-list (DENY) set of policies based on properties of the connection (IPs, ports, SSL subject, etc).

Unlike the HTTP RBAC filter, policies may not allow or deny a request based on its HTTP headers since this filter operates at the Network level.

TCP Proxy

Enables basic L3/L4 proxying for 1:1 network connections between downstream clients and upstream clusters. It can be used by itself as an stunnel replacement, or in conjunction with several other network filters.

SNI Cluster

Uses the SNI value in a TLS connection as the upstream cluster name. The filter will not modify the upstream cluster for non-TLS connections.

Client TLS

Performs TLS client authentication via principals fetched from a REST VPN service. This filter matches the presented client certificate hash against the principal list to determine whether the connection should be allowed or not. Optional IP white listing can also be configured.

External Authorization

Calls an external authorization service to check if the incoming request is authorized or not. If the request is deemed unauthorized by the network filter then the connection will be closed.

Local Rate Limit

Applies a token bucket rate limit to incoming connections that are processed by the filter’s filter chain. Each connection processed by the filter utilizes a single token, and if no tokens are available, the connection will be immediately closed without further filter iteration.

Dubbo Proxy

Decodes the RPC protocol between dubbo clients and servers. The decoded RPC information is converted to metadata. The metadata includes the basic request ID, request type, serialization type, and the required service name, method name, parameter name, and parameter value for routing.

Kafka Broker

Decodes the client protocol for Apache Kafka, both the requests and responses in the payload.

Echo

A trivial network filter meant to demonstrate the network filter API. If installed it will echo (write) all received data back to the connected downstream client.

Mysql Proxy

Note: currently experimental only

Decodes the wire protocol between the MySQL client and server. It decodes the SQL queries in the payload (SQL99 format only).

Zookeeper Proxy

Note: currently experimental only

Decodes the client protocol for Apache ZooKeeper. It decodes the requests, responses and events in the payload.

Thrift Proxy

Note: currently experimental only

Decodes the client protocol for Twitter's Thrift Protocol.

Direct Response

Responds to new downstream connections immediately with an optional canned response. Can be used as terminal filter in chain to collect telemetry for blocked traffic.

Postgres Proxy

Note: currently experimental only

Decodes the wire protocol between the Postgres client and server. It decodes the request to produce Postgres level statistics. The current version does not decode SQL queries.

RocketMQ Proxy

Proxies requests and responses between Apache RocketMQ producers/consumers and brokers.