Introduction
If you use an Envoy proxy in your environment currently as a load balancer and you intend to use Cequence Defender, you will need to configure the Envoy proxy to work with Defender. There are two common Envoy proxy integration scenarios loop-back and in-line described below.
Integration Scenarios
Cequence Defender And Envoy Proxy In-line
If you intend to configure the Envoy proxy to run inline with Defender, the envoy-inline.yaml file shown in Figure 1.4 at the bottom of this section would be the configuration file to use. In an in-line configuration traffic will first go to the proxy and then be passed to Defender, and finally go on to the application origin.
To edit your copy of the envoy-inline.yaml file follow the steps below:
1. Copy the complete envoy-inline.yaml located in Figure 1.4 at the bottom of this section into your preferred text editor. Make sure that the envoy-inline.yaml file retains it's formatting when copied into the text editor.
2. Using a text editor update the IP address and port configuration for Defender under clusters in the envoy-inline.yaml file. The values that need to be updated to reflect your environment are shown in blue in Figure 1.1 Defender Values below.
3. Once you are done editing the envoy-inline.yaml file you will need to make a config map using this file by executing the following command. Before you create the envoy config map follow all of the steps in this guide.
kubectl create cm envoy-cm --from-file envoy.yaml
clusters:
- name: defender
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 80
Figure 1.1 Defender Values
3. Using a text editor update the IP address and port configuration for your application origin server in the envoy-inline.yaml file shown in blue in Figure 1.2 Application Origin Values below.
- name: origin
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 8080
Figure 1.2 Application Origin Values
4. The section of the envoy-inline.yaml file below includes a health check for Defender which means if the Defender fails to respond to the health check from the Envoy proxy traffic will automatically be forwarded to the application origin server. The default parameters shown in Figure 1.3 below do not need to be changed, but are supplied for your information. The parameters are explained in the table below.
Value | Definition |
timeout | The amount of time Defender will have to respond to the Envoy proxy. |
interval | The interval that health checks are sent to Defender by the Envoy proxy |
unhealthy_threshold | The number of failed health checks required before sending traffic directly to the application origin. |
healthy_threshold | The number of successful health checks required to send traffic to Defender. |
health_checks:
- timeout: 1s
interval: 5s
unhealthy_threshold: 1
healthy_threshold: 1
http_health_check:
path: "/.stealth-check"
Figure 1.3 Health Check Values
The complete envoy-inline.yaml below can be copied and pasted into your preferred text editor to be edited. You will need to make sure that the file below retains it's formatting.
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10006
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/"
route:
weighted_clusters:
clusters:
- name: defender
weight: 100
- name: origin
weight: 0
http_filters:
- name: envoy.router
clusters:
- name: defender
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 80
health_checks:
- timeout: 1s
interval: 5s
unhealthy_threshold: 1
healthy_threshold: 1
http_health_check:
path: "/.stealth-check"
- name: origin
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 8080
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
address: 0.0.0.0
port_value: 9906
Figure 1.4 envoy-inline.yaml
Cequence Defender And Envoy Proxy Loop-back
If you intend to configure the Envoy proxy to run in a loop-back configuration with defender the envoy-loopback.yaml file shown in Figure 1.5 at the bottom of this section would be the configuration file to use.
In a loop-back configuration traffic will be passed to Defender from the Envoy proxy, and then Defender will add a custom header to the traffic and pass it back to the Envoy proxy. The traffic is then forwarded to the application origin.
To edit your copy of the envoy-loopback.yaml file follow the steps below:
1. Copy the complete envoy-loopback.yaml located in Figure 1.5 at the bottom of this section into your preferred text editor. Make sure that the envoy-loopback.yaml file retains it's formatting when copied into the text editor.
2. Using a text editor update the IP address and port configuration for Defender under clusters in the envoy-loopback.yaml file. The values that need to be updated to reflect your environment are shown in blue in Figure 1.1 Defender Values below.
clusters:
- name: defender
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 80
Figure 1.1 Defender Values
3. Using a text editor update the IP address and port configuration for your application origin server in the envoy-loopback.yaml file shown in blue in Figure 1.2 Application Origin Values below.
- name: origin
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 8080
Figure 1.2 Application Origin Values
4. The section of the envoy-loopback.yaml file below includes a health check for Defender which means if the Defender fails to respond to the health check from the Envoy proxy traffic will automatically be forwarded to the application origin server. The default parameters shown in Figure 1.3 below do not need to be changed, but are supplied for your information. The parameters are defined in the table below.
Value | Definition |
timeout | The amount of time Defender will have to respond to the Envoy proxy. |
interval | The interval that health checks are sent to Defender by the Envoy proxy |
unhealthy_threshold | The number of failed health checks required before sending traffic directly to the application origin. |
healthy_threshold | The number of successful health checks required to send traffic to Defender. |
health_checks:
- timeout: 1s
interval: 5s
unhealthy_threshold: 1
healthy_threshold: 1
http_health_check:
path: "/.stealth-check"
Figure 1.3 Health Check Values
5. The final item that will need to be edited in the envoy-loopback.yaml file is the exact_match value for the custom header shown in blue below. The custom header is appended to the traffic that is forwarded to Defender. When the traffic returns to the Envoy proxy it will note that the traffic has already been processed through Defender, and can be forwarded to the application origin server.
- match:
prefix: "/"
headers:
- name: "x-cq-select"
exact_match: "123456789"
Figure 1.4 Custom Header Value
The complete envoy-loopback.yaml file below can be copied and pasted into your preferred text editor to be edited. You will need to make sure that the file below retains it's formatting.
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10003
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/"
headers:
- name: "x-cq-select"
exact_match: "123456789"
route:
cluster: origin
- match:
prefix: "/"
route:
weighted_clusters:
clusters:
- name: defender
weight: 100
- name: origin
weight: 0
http_filters:
- name: envoy.router
clusters:
- name: defender
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 80
health_checks:
- timeout: 1s
interval: 5s
unhealthy_threshold: 1
healthy_threshold: 1
http_health_check:
path: "/.stealth-check"
- name: origin
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 34.219.159.54
port_value: 8080
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
address: 0.0.0.0
port_value: 9903
Figure 1.5 envoy-loopback.yaml
Envoy deployment with Cequence Defender
You can deploy envoy proxy during your Cequence defender deployment by adding the following information to your overrides file for your defender deployment. This information tells Defender and Envoy proxy how the two will interact with each other. The Envoy proxy will get its configuration from the config map that you generate in this document.
extraVolumes:
- name: pod-files
configMap:
name: envoy-cm
extraContainers:
- name: envoy
image: envoyproxy/envoy:v1.14-latest
imagePullPolicy: IfNotPresent
ports:
- name: envoyhttp
containerPort: 10006
protocol: TCP
volumeMounts:
- name: pod-files
mountPath: /etc/envoy/envoy.yaml
subPath: envoy.yaml
jerald:
port: 10006
Figure 1.6 Envoy proxy information for the Defender overrides file
Next, you will need to edit the service.yaml in the defender/templates directory. Reference the defender overrides example that was provided in Figure 1.6. You will see a port created that was named "Jerald." Now in the service. yaml file you will add the following reference to the port as mentioned below. You can name your port whatever you desire but be sure to everything else matches the examples provided in this document.
Version History
Date | Version | Notes |
Aug 20, 2023 | 3 | Updated to support latest ingestion API endpoint. |
Feb 12, 2023 | 2 | Updated with loop-back deployment. |
Sep 2, 2022 | 1 | Initial version. |