Protecting Cluster Endpoints

27 views
Skip to first unread message

Cory Isaacson

unread,
Jul 24, 2025, 1:07:45 PMJul 24
to envoy-users
We have an existing gRPC service, when a client connects to it there is a simple authorization header that is generated and used by all subsequent requests.

We need to load balance the service with envoyproxy, and the way it is now it will not work as the authorization header is often obtained from one endpoint and the an attempt to use that header with another endpoint (which of course has not registered the token so it will not allow a connection).

We can disable the auth checks in the cluster service, but we do need to be sure that requests are authorized. 

My question is what is the best way to do this. Options I can see are:
  • Remove auth checking from the endpoint completely (does not seem like a good idea, even though this service will only be accessible from within our firewall and the envoyproxy)
  • Implement JWT in envoyproxy, providing a service to provide a valid token
    • This means all endpoints would still be unprotected, but at least envoy will require a valid JWT token before it allows traffic
    • Is this adequate?
  • Implement JWT and also send the token to the cluster endpoint for further validation
Any recommendations, and just as important an example configuration will be very helpful.

Thanks,

Cory

Yan Avlasov

unread,
Jul 25, 2025, 9:24:35 AMJul 25
to Cory Isaacson, envoy-users
JWT token is a common solution for a problem like this. Whether JWT token can be created and validated at the load balancer depends on your threat model and application, there is no one size fits all approach.

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/envoy-users/5a84d3ee-effb-484f-ac0a-4a38f2dcfda1n%40googlegroups.com.

Cory Isaacson

unread,
Jul 25, 2025, 3:48:42 PMJul 25
to Yan Avlasov, envoy-users
Thanks Yan. JWT is what we will use, I believe I understand what to do using to change the authorization process.
 
Cory

--
Cory Isaacson
http://www.coryisaacson.com

Cory Isaacson

unread,
Jul 28, 2025, 3:34:12 AMJul 28
to Yan Avlasov, envoy-users
One follow up question on this.
 
I can use a JWT, pass it in the authorization header,  and have my endpoint validate the JWT.
 
Do I also need to use TLS between the downstream caller, envoyproxy and then to the endpoint? This is all behind our firewall but it is important that only authorized services can call the endpoint.
 
Let me know what you think.
 
Cory

--
Cory Isaacson
http://www.coryisaacson.com
On Jul 25, 2025 at 7:24 AM -0600, Yan Avlasov <yavl...@google.com>, wrote:

Cory Isaacson

unread,
Jul 28, 2025, 3:34:19 AMJul 28
to Yan Avlasov, envoy-users
In reading more it seems like using JWT with endpoint validation, plus TLS (HTTPS) passthrough would be the safest option.
 
Let me know if that seems like the right way to do this.
 
Cory

--
Cory Isaacson
http://www.coryisaacson.com
On Jul 25, 2025 at 7:24 AM -0600, Yan Avlasov <yavl...@google.com>, wrote:

Yan Avlasov

unread,
Jul 28, 2025, 3:21:10 PMJul 28
to Cory Isaacson, envoy-users
By TLS passthrough you mean you will use Envoy as a TCP proxy?

Cory Isaacson

unread,
Jul 28, 2025, 4:39:55 PMJul 28
to Yan Avlasov, envoy-users
Yan,
 
Yes, or I can have envoy terminate the TLS connection and originate a new TLS to the endpoint, either way based on your recommendation.
 
Cory

--
Cory Isaacson
http://www.coryisaacson.com

Yan Avlasov

unread,
Jul 29, 2025, 1:46:43 PMJul 29
to Cory Isaacson, envoy-users
If you just proxy TCP connection there will be no load balancing of individual gRPC requests. You could just keep your existing authorization mechanism.

Cory Isaacson

unread,
Jul 29, 2025, 3:40:24 PMJul 29
to Yan Avlasov, envoy-users
Thanks, makes perfect sense now.

--
Cory Isaacson
http://www.coryisaacson.com
Reply all
Reply to author
Forward
0 new messages