Envoy cheatsheet
Run and validate
| Command | Description |
|---|---|
envoy -c /etc/envoy/envoy.yaml | Start with config |
envoy --mode validate -c envoy.yaml | Validate config only |
envoy --version | Binary version |
ss -tlnp | grep envoy | Listener ports |
Admin interface (default :9901)
| URL | Description |
|---|---|
curl -s localhost:9901/server_info | Version, uptime, state |
curl -s localhost:9901/listeners | Active listeners |
curl -s localhost:9901/clusters | Cluster health, connections |
curl -s localhost:9901/stats | All statistics |
curl -s localhost:9901/stats/prometheus | Prometheus metrics |
curl -s localhost:9901/config_dump | Full effective config (JSON) |
Istio sidecar admin (often :15000)
kubectl exec POD -c istio-proxy -- curl -s localhost:15000/clusters
kubectl exec POD -c istio-proxy -- curl -s localhost:15000/config_dump | jq .
istioctl proxy-status
istioctl analyze
Useful stats grep
curl -s localhost:9901/stats | grep -E 'upstream_rq_|cx_|rq_5xx|rq_4xx'
curl -s localhost:9901/stats | grep cluster.my_service
Minimal static config sketch
admin:
address:
socket_address: { address: 127.0.0.1, port_value: 9901 }
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 10000 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
virtual_hosts:
- name: backend
domains: ["*"]
routes:
- match: { prefix: "/" }
route: { cluster: service_backend }
http_filters:
- name: envoy.filters.http.router
clusters:
- name: service_backend
connect_timeout: 5s
type: STRICT_DNS
load_assignment:
cluster_name: service_backend
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address: { address: backend.local, port_value: 8080 }
Admin CLI helpers
| Command | Description |
|---|---|
curl -X POST localhost:9901/healthcheck/fail | Fail health check (testing) |
curl -X POST localhost:9901/logging?level=debug | Raise log level (runtime) |
curl -X POST localhost:9901/quitquitquit | Graceful shutdown |
Access log response flags
| Flag | Meaning |
|---|---|
UF | Upstream connection failure |
UH | No healthy upstream host |
NR | No route matched |
UO | Upstream overflow (circuit breaker) |
DC | Downstream connection termination |
Pro tips
/clustersshowshealth_flags— healthy vs failed hostsconfig_dumpis the source of truth for what Envoy actually runs- 503 +
UHin access log → no healthy endpoints in cluster - Validate before deploy:
envoy --mode validate -c envoy.yaml - Mesh issues? Pair with
istioctl proxy-statusand Kubernetes lab
Practice scenarios
Hands-on Envoy scenarios on live Linux VMs: envoy