Tutorial  on  NetworkingObservability

Accelerating Transparent Ingress Proxy with eBPF and Envoy

Teodor Janez Podobnik
by  Teodor Janez Podobnik
This lab teaches you how to use eBPF socket acceleration to speed up communication between processes on localhost and optimize a transparent Envoy proxy setup. You will implement techniques that bypass parts of the kernel networking stack, allowing data to be transferred more directly between sockets to improve throughput and reduce latency.

In the previous lab we learned what role different features—such as eBPF TC programs, SO_ORIGINAL_DST, and SO_MARK—play in transparently redirecting traffic to Envoy between the client and the server application.

That said, putting a middleman like Envoy into the network path inevitably hurts the performance.

So the real question, then, is how much of this performance tax we can realistically eliminate—if any.

In this lab, we focus on optimizing transparent redirection on the receiving pod using eBPF socket acceleration. We show how eBPF can significantly speed up communication between the Envoy proxy and the application, mitigating much of the performance overhead introduced by the proxy.

The Bottleneck

A side effect of introducing a transparent proxy like Envoy is that packets traverse the kernel networking stack twice, as well as connections being terminated, processed, and forwarded by the proxy.

Base Setup - Network Packet Path

Let's say you don't take my word for it - here are the benchmark results performed using iperf3 and sockperf comparing the setup with and without Envoy in-between.

[object Object]

💡 Although the benchmark was run in a controlled environment, the absolute numbers are less meaningful because they depend on the specific setup; what really matters is the relative difference between the results.

So almost 20% lower network throughput and more than 2x larger network latency!

A lot of room for improvement and one way to optimize this setup is using eBPF socket acceleration.

Materials by an Independent Author

Extra content pack required to access this material

Accelerating Transparent Ingress Proxy with eBPF and Envoy
Content Pack

Accelerating Transparent Ingress Proxy with eBPF and Envoy

Teodor Janez Podobnik by Teodor Janez Podobnik
View Pack

How to Author Tutorials on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull tutorial content

labctl content pull tutorial ebpf-envoy-ingress-acceleration-ad8d4111

This will create a local copy of the tutorial content in a directory named ebpf-envoy-ingress-acceleration-ad8d4111. You only need to do this once per tutorial.

Stream your changes

labctl content push -fw tutorial ebpf-envoy-ingress-acceleration-ad8d4111

Run this command in a separate terminal to continuously upload your changes to the server while editing the tutorial in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start tutorial