Tetrate unveils Built on Envoy open source extension hub

Tetrate has launched Built on Envoy, an open source marketplace of extensions that plug into the Envoy proxy and service mesh ecosystem. It is positioned as a way for teams to adopt Envoy features faster, particularly for deployments that involve AI workloads.

Envoy is an open source proxy first created at Lyft in 2015. It sits in the data plane for application traffic and is used for routing, observability and policy enforcement in modern distributed systems. Envoy also underpins service mesh implementations, where operators manage traffic policies and security controls across microservices.

The marketplace focuses on extensions that address common deployment issues. Tetrate has packaged these components as ready-to-use modules and released them free of charge under the Apache 2.0 licence.

Many Envoy users have built bespoke extensions in-house and maintained them privately. That approach can duplicate engineering effort across organisations, especially for authentication, policy controls and compliance checks. Tetrate argues that a shared repository of modules reduces that duplication and standardises common patterns.

Envoy at scale

Envoy has a long track record in large-scale production environments. Lyft reported that by September 2016, Envoy was processing more than 2 million requests per second across its infrastructure. Lyft has also said Envoy handles millions of machine learning predictions daily.

Security has been a prominent theme in Envoy's evolution, including participation in Google's Vulnerability Reward Program. Other widely cited deployments include Netflix, which processes billions of API requests a day, and Airbnb, which handles more than 1 million user events per second while relying on Envoy for traffic management. Tetrate estimates that at least 44% of enterprises use Envoy in production or are evaluating it for production use, including AWS, Docker, SAP, Atlassian and LY Corporation.

Extension focus

Built on Envoy launches with modules focused on security, AI governance and operational configuration. For security and authentication, the initial list includes extensions for WAF integration, OAuth2 token exchange, SAML, and authorisation workflows.

For AI governance, the early set includes an extension that checks large language model requests against Azure Content Safety. Another extension caches model requests, which can reduce repeated calls in some AI application patterns.

Operational modules include proxy configuration for data platforms and routing zone pinning. The marketplace also includes a file-server extension, allowing teams to serve static assets such as HTML pages, dashboards and documentation directly from Envoy without running a separate web server.

Tetrate expects additional modules from third parties and is encouraging organisations to contribute extensions to the shared catalogue.

Developer workflow

A key part of the launch is tooling for installing and running extensions. Built on Envoy includes a command-line package manager that can run Envoy with selected extensions on a local machine. Tetrate says this shortens experimentation cycles when developers prototype new traffic, security or governance patterns.

Matt Klein, the creator of Envoy, said recent changes in the broader ecosystem are making extension development accessible to more developers. "To date, writing extensions for Envoy has been a laborious process that involves writing C++ and compiling a fully custom build of the entire proxy," Klein said. "The rise of dynamic modules and allowing either Go or Rust to be used for extensions is going to unlock Envoy extensibility to way more people. I'm really excited about the Built on Envoy effort making it super easy for everyone to get started with Envoy extensions and I'm looking forward to using it to build Rust Envoy extensions for use at bitdrift."

Varun Talwar, CTO at Tetrate, said the company has seen the same issues recur during large-scale deployments.

"For years, we have worked with enterprise customers deploying Envoy at scale, and we have seen firsthand the same challenges come up again and again. Too many teams are solving the same problems independently. Built on Envoy gives the community a way to share those solutions openly, so every Envoy user can move faster. We built this for the ecosystem, and we are inviting everyone to come use it and contribute back."

Chris Aniszczyk, CTO at the Cloud Native Computing Foundation, framed the move as a contribution to the wider open source environment around cloud native infrastructure. "Envoy has become one of the most high-velocity and impactful open source projects in the cloud native ecosystem," Aniszczyk said. "When contributing organizations like Tetrate step forward to lower the barriers to adoption, they create pathways for more developers to contribute upstream; that kind of leadership strengthens the entire ecosystem."

Rohit Agrawal, an Envoy maintainer and software engineer at Databricks, said developer experience is a practical issue for teams that want to customise Envoy. "Envoy is powerful, but it can be complicated and tricky to configure and extend," Agrawal said. "Built on Envoy makes it extremely easy to extend Envoy using Go and Rust, and the developer experience is simple enough for our non-power users who don't know Envoy's internals."

Built on Envoy is available now, and Tetrate expects the catalogue to expand as the community adds more extensions over time.