Envoy is an Layer 7 proxy and communication bus designed for large modern service oriented architectures. Envoy version v1.7.0 and later supports an external authorization filter which calls an authorization service to check if the incoming request is authorized or not. This feature makes it possible to delegate authorization decisions to an external service. It also makes the request context available to the service, which can then be used to make an informed decision about the incoming request received by Envoy.
This tutorial shows how Envoy’s external authorization filter can be used with OPA as an authorization service to enforce security policies over API requests received by Envoy. It also covers examples of authoring policies over the HTTP request body. It is based on the HTTP API Authorization OPA tutorial with added policies to control the ingress or egress behavior of the application and client.