Network

For a list of available Network filters, see Envoy Network Filters.

Configuration Overview

Network filters are configured in Grey Matter Control API on a per-Listener basis.

Unlike HTTP filters, Network filters may not be configured in a Proxy object in order to apply to multiple listeners. Instead, each Listener must have its own Network filter configuration.

Example Configuration

To edit the Listener object, run:

greymatter edit listener <listener-key>

The following is an example of configuring a Network filter in a Listener object by specifying values in two of its fields -- the active_network_filters field and the network_filters field:

{
  "zone_key": "default-zone",
  "listener_key": "listener2",
  "name": "listener2",
  "domain_keys": [
    "domain1"
  ],
  "ip": "0.0.0.0",
  "port": 8080,
  "protocol": "http_auto",
  "active_network_filters": [
    "envoy.tcp_proxy"
  ],
  "network_filters": {
    "envoy_tcp_proxy": {
      "stat_prefix": "tcp_proxy",
      "cluster": "tcp_proxy"
    }
  }
}

This configuration tells the corresponding Grey Matter Proxy to enable the envoy.tcp_proxy filter for its listener2 Listener only.

Note that the keys in the active_network_filters array use a period following their prefix, while the network_filters object uses underscores all the way through.

Known Ordering Dependencies

The following Network filters must not be configured together, and the one that is selected must be configured last in the active_network_filters array:

• TCP Proxy Filter

• Dubbo Proxy Filter

• Echo Filter

Otherwise, Grey Matter Proxy will reject the Listener configuration update.

Envoy Network Filters

To learn how to enable any of the Envoy Network filters in the Fabric mesh, refer to the Network Filters configuration overview.

The following table lists all Envoy Network filters that may be configured. Some general information on each filter is available; otherwise please refer to the Envoy documentation. Also, some Envoy filters have been excluded due to being marked by Envoy as experimental.

Note that the Active Filter Name is a simplified form of the name used in Grey Matter Proxy (e.g. envoy.header_to_metadata is used in place of envoy.filters.http.header_to_metadata).

Available Network Filters

Filter	Active Filter Name	Guide	Envoy documentation
Mongo Proxy	envoy.mongo_proxy	#mongo-proxy	External Link
Rate Limit	envoy.rate_limit	#rate-limit	External Link
Redis Proxy	envoy.redis_proxy	#redis-proxy	External Link
Role Based Access Control	envoy.rbac	#role-based-access-control	External Link
TCP Proxy	envoy.tcp_proxy	#tcp-proxy	External Link
SNI Cluster	envoy.sni_cluster	#sni-cluster	External Link
Client TLS	envoy.client_ssl_auth	#client-tls	External Link
External Authorization	envoy.ext_authz	#ext-authz	External Link
Local Rate Limit	envoy.local_rate_limit	#local-rate-limit	External Link
Dubbo Proxy	envoy.dubbo_proxy	#dubbo-proxy	External Link
Kafka Broker	envoy.kafka_broker	#kafka-broker	External Link
Echo	envoy.echo	#echo	External Link

Mongo Proxy

A MongoDB sniffing filter that does MongoDB wire format BSON parsing and provides detailed MongoDB operation statistics. It also supports fault injection. It relies on the TCP Proxy filter for its connection.

Rate Limit

Integrates with a global gRPC rate limiting service such as Envoy's reference implementation to control throughput throughout the Fabric mesh by preventing downstream hosts from overwhelming upstream clusters. It relies on the TCP Proxy filter for its connection.

Redis Proxy

Enables Envoy as a Redis proxy, partitioning commands among instances in a Redis cluster. It also supports active and passive health checking, hash tagging, prefix routing, downstream client and upstream server authentication, and request mirroring. Many future enhancements are also being planned.

Role Based Access Control

Allows or denies actions (permissions) by identified downstream clients (principals). It supports configuration using either a safe-list (ALLOW) or block-list (DENY) set of policies based on properties of the connection (IPs, ports, SSL subject, etc).

Unlike the HTTP RBAC filter, policies may not allow or deny a request based on its HTTP headers since this filter operates at the Network level.

TCP Proxy

Enables basic L3/L4 proxying for 1:1 network connections between downstream clients and upstream clusters. It can be used by itself as an stunnel replacement, or in conjunction with several other network filters.

SNI Cluster

Uses the SNI value in a TLS connection as the upstream cluster name. The filter will not modify the upstream cluster for non-TLS connections.

Client TLS

Performs TLS client authentication via principals fetched from a REST VPN service. This filter matches the presented client certificate hash against the principal list to determine whether the connection should be allowed or not. Optional IP white listing can also be configured.

External Authorization

Calls an external authorization service to check if the incoming request is authorized or not. If the request is deemed unauthorized by the network filter then the connection will be closed.

Local Rate Limit

Applies a token bucket rate limit to incoming connections that are processed by the filter’s filter chain. Each connection processed by the filter utilizes a single token, and if no tokens are available, the connection will be immediately closed without further filter iteration.

Dubbo Proxy

Decodes the RPC protocol between dubbo clients and servers. The decoded RPC information is converted to metadata. The metadata includes the basic request ID, request type, serialization type, and the required service name, method name, parameter name, and parameter value for routing.

Kafka Broker

Decodes the client protocol for Apache Kafka, both the requests and responses in the payload.

Echo

A trivial network filter meant to demonstrate the network filter API. If installed it will echo (write) all received data back to the connected downstream client.