Client Traffic Policy: Support Connection Limiting #2685
Description
Description:
Limiting active connections for an edge proxy is a security and resilience best practice, as described in the Envoy edge best practices document.
When a single Envoy deployment is proxying multiple backends, it could be beneficial to apply granular downstream connection limits, e.g. per Gateway or Listener. This creates a degree of resource isolation between different backends exposed by the proxy and allows Envoy Gateway administrators to allocate resources based on the expected volume of traffic, SLAs, etc.
Envoy can limit L4 connections in various levels:
- Process Connection Limits in overload manager (across all listeners): Global downstream connection limits. #1966
- Listener Connection Limits: Ensure Envoy recommended edge proxy settings are set by default #1048
- Filter Chain Connection Limits : applies connection limits on filter chains
EG's Client Traffic Policy can be extended to support connection limits. The best candidate for implementation is the Envoy Network Connection Limit Filter.