The DAS Envoy system type helps you manage the ingress and egress network traffic permitted within your Envoy-based service mesh. For example, permit egress traffic only to a predefined collection of endpoints, to minimize the risk of data exfiltration, and implement microservice API authorization.
Figure 1: Envoy Architecture for Ingress traffic
Figure 2: Envoy Architecture for Egress traffic
For more information on how Envoy’s external authorization filter can be used with OPA as an authorization service to enforce security policies over API requests received by Envoy, see the Envoy tutorial.