Use Envoy to setup a tunnel between networks

Asked 2/9, 2020 at 13:4 Answered 3/6, 2022 at 15:38

For a hybrid-cloud use-case we are looking into the suitability of EnvoyProxy to act as a solution to move data across an on-premise firewall. The intended setup is as follows:

App A is located in an on premise network with no direct outbound or inbound Internet connection
App B is located on the cloud
An envoy proxy (PC) is placed in the cloud
An envoy proxy (PA) is placed in the on-premise network, and configured to allow outbound network connection to PC
PA creates a open bi-directional authenticated TLS connection to PC, effectively creating a tunnel between them
App B invokes an API endpoint at PC, which gets routed to PA over the open TLS connection, and forwarded by PA to App A

Routing data with Envoy to upstream clusters is well documented. However, we are wondering if Envoy is able to setup a TLS connection between two proxy instances and use that channel in both directions. The constraint is that this TLS connection can be setup from one direction (outbound) only.

If this is possible, could someone point me to the right direction?

With kind regards, Joost

Frisbie answered 2/9, 2020 at 13:4 Comment(1)

Hello Joost. Did you manage to solve this problem? – Exscind 13/8, 2022 at 22:43

yes, we use Envoy to create mTLS tunnels between networks

See https://www.youtube.com/watch?v=nWKu7ThNKwM&list=PLHsuXkXI4xdjGlGkCBdxIAmkzfWXqsUrO&index=3

Jurat answered 3/6, 2022 at 15:38 Comment(6)

Hi Csanchez, Thanks for the link to the video. I watched it and it uses allot of protocols I still need to deep dive into. Could you quickly confirm that the setting suggested in this video allows for an Envoy to connect to a upstream envoy endpoint and that upstream envoy can use that established connection with downstream to communicate without using the downstream endpoint? – Exscind 13/8, 2022 at 22:46

if by "without using the downstream endpoint" you mean the communication is bidirectional, no. The upstream envoy does not listen for connections if the connection is initiated by downstream. But you could use a protocol over the envoy tunnel like ssh that allows remote incoming connections – Jurat 15/8, 2022 at 9:38

So envoy opens a tunnel from Downstream to Upstream, Upstream must connect to a cluster endpoint. In mycase there is none. Are you suggestion that the cluster endpoint leads to an ssh proxy, but how does the connection get back to the downstream? You can read more about my issue here: if you have time, I would really apprichiate your feedback: github.com/envoyproxy/envoy/issues/22697 – Exscind 15/8, 2022 at 12:9

the cluster endpoint leads to an ssh server, then a dowstream app can open an ssh connection and use ssh remote port forward. But in this case you wuoldn't even need envoy goteleport.com/blog/ssh-tunneling-explained – Jurat 16/8, 2022 at 15:33

Yeah, it defeats the purpose but there are some benefits to Envoy combo like mTLS, OPA Integration, Authz. But these are side features. Thanks so much for your time @csanchez. I apprichate you. On a side note, great youtube video, maybe if you still have access to the original config files, it would be nice if you make a repo with them in it. Helps people reproduce your setup like me. All the best and thanks again for you time on explaining :) – Exscind 17/8, 2022 at 18:38

Also, BoringProxy is a nice setup wrapped around exactly what your talking about with extra features. This is were I ended up. – Exscind 17/8, 2022 at 18:40

IN Azure we use Azure relay Hybrid Connections service for this.

https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it

i guess aws guys can create a wcf relay(in above link) app and deploy it to aws

Floruit answered 19/7, 2021 at 1:46 Comment(1)

What has this to do with the question? – Exscind 13/8, 2022 at 22:44

Recommended topics

Hot tags