Skip to main content

Overview of DAS Envoy System

The DAS Envoy system type helps you manage the ingress and egress network traffic permitted within your Envoy-based service mesh. For example, permit egress traffic only to a predefined collection of endpoints, to minimize the risk of data exfiltration, and implement microservice API authorization.

envoy-opa-das-ingress

Figure 1: Envoy Architecture for Ingress traffic

envoy-opa-das-egress

Figure 2: Envoy Architecture for Egress traffic

For more information on how Envoy’s external authorization filter can be used with OPA as an authorization service to enforce security policies over API requests received by Envoy, see the Envoy tutorial.