Envoy admin interface

    Note

    This guide provides configuration information, and some basic examples of using a couple of the admin endpoints.

    See the admin docs for information on all of the available endpoints.

    Requirements

    Some of the examples below make use of the tool to parse the output from the admin server.

    The is required to enable and configure the administration server.

    The address key specifies the listening address which in the demo configuration is 0.0.0.0:9901.

    In this example, the logs are simply discarded.

    Warning

    As the endpoint is not authenticated it is essential that you limit access to it.

    You may wish to restrict the network address the admin server listens to in your own deployment as part of your strategy to limit access to this endpoint.

    The Envoy HttpConnectionManager must be configured with .

    This provides a key that can be filtered when querying the stats interface as shown below

    In the the listener is configured with the stat_prefix of ingress_http.

    1.  1static_resources:
    2.  2
    3.  3  listeners:
    4.  4  - name: listener_0
    5.  5    address:
    6.  6      socket_address:
    7.  7        address: 0.0.0.0
    8.  8        port_value: 10000
    9.  9    filter_chains:
    10. 10    - filters:
    11. 11      - name: envoy.filters.network.http_connection_manager
    12. 12        typed_config:
    13. 13          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
    14. 14          stat_prefix: ingress_http
    15. 15          access_log:
    16. 16          - name: envoy.access_loggers.stdout
    17. 17            typed_config:
    18. 18              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
    19. 19          http_filters:
    20. 20          - name: envoy.filters.http.router
    21. 21            typed_config:
    22. 22              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
    23. 23          route_config:
    24. 24            name: local_route
    25. 25            virtual_hosts:
    26. 26            - name: local_service
    27. 27              domains: ["*"]
    28. 28              routes:
    29. 29              - match:

    The config_dump endpoint returns Envoy’s runtime configuration in json format.

    The following command allows you to see the types of configuration available:

    To view the of the first dynamic_listener currently configured, you could:

    1. $ curl -s http://localhost:9901/config_dump?resource=dynamic_listeners | jq '.configs[0].active_state.listener.address'
    2. {
    3.   "socket_address": {
    4.     "address": "0.0.0.0",
    5.     "port_value": 10000
    6.   }
    7. }

    Note

    Tip

    Enabling the interface with dynamic configuration can be particularly useful as it allows you to use the config_dump endpoint to see how Envoy is configured at a particular point in time.

    The admin stats endpoint allows you to retrieve runtime information about Envoy.

    The stats are provided as key: value pairs, where the keys use a hierarchical dotted notation, and the values are one of counter, histogram or gauge types.

    To see the top-level categories of stats available, you can:

    The stats endpoint accepts a argument, which is evaluated as a regular expression:

    1. $ curl -s http://localhost:9901/stats?filter='^http\.ingress_http'
    2. http.ingress_http.downstream_cx_delayed_close_timeout: 0
    3. http.ingress_http.downstream_cx_destroy: 3
    4. http.ingress_http.downstream_cx_destroy_active_rq: 0
    5. http.ingress_http.downstream_cx_destroy_local: 0
    6. http.ingress_http.downstream_cx_destroy_local_active_rq: 0
    7. http.ingress_http.downstream_cx_destroy_remote: 3
    8. http.ingress_http.downstream_cx_destroy_remote_active_rq: 0
    9. http.ingress_http.downstream_cx_drain_close: 0
    10. http.ingress_http.downstream_cx_http1_active: 0
    11. http.ingress_http.downstream_cx_http1_total: 3
    12. http.ingress_http.downstream_cx_http2_active: 0
    13. http.ingress_http.downstream_cx_http2_total: 0
    14. http.ingress_http.downstream_cx_http3_active: 0
    15. http.ingress_http.downstream_cx_http3_total: 0
    16. http.ingress_http.downstream_cx_idle_timeout: 0
    17. http.ingress_http.downstream_cx_max_duration_reached: 0
    18. http.ingress_http.downstream_cx_overload_disable_keepalive: 0
    19. http.ingress_http.downstream_cx_protocol_error: 0
    20. http.ingress_http.downstream_cx_rx_bytes_buffered: 0
    21. http.ingress_http.downstream_cx_rx_bytes_total: 250
    22. http.ingress_http.downstream_cx_ssl_active: 0
    23. http.ingress_http.downstream_cx_ssl_total: 0
    24. http.ingress_http.downstream_cx_total: 3
    25. http.ingress_http.downstream_cx_tx_bytes_buffered: 0
    26. http.ingress_http.downstream_cx_tx_bytes_total: 1117
    27. http.ingress_http.downstream_cx_upgrades_active: 0
    28. http.ingress_http.downstream_cx_upgrades_total: 0
    29. http.ingress_http.downstream_flow_control_paused_reading_total: 0
    30. http.ingress_http.downstream_flow_control_resumed_reading_total: 0
    31. http.ingress_http.downstream_rq_1xx: 0
    32. http.ingress_http.downstream_rq_2xx: 3
    33. http.ingress_http.downstream_rq_3xx: 0
    34. http.ingress_http.downstream_rq_4xx: 0
    35. http.ingress_http.downstream_rq_5xx: 0
    36. http.ingress_http.downstream_rq_active: 0
    37. http.ingress_http.downstream_rq_completed: 3
    38. http.ingress_http.downstream_rq_http1_total: 3
    39. http.ingress_http.downstream_rq_http2_total: 0
    40. http.ingress_http.downstream_rq_http3_total: 0
    41. http.ingress_http.downstream_rq_idle_timeout: 0
    43. http.ingress_http.downstream_rq_non_relative_path: 0
    44. http.ingress_http.downstream_rq_response_before_rq_complete: 0
    45. http.ingress_http.downstream_rq_rx_reset: 0
    46. http.ingress_http.downstream_rq_timeout: 0
    47. http.ingress_http.downstream_rq_too_large: 0
    48. http.ingress_http.downstream_rq_total: 3
    49. http.ingress_http.downstream_rq_tx_reset: 0
    50. http.ingress_http.downstream_rq_ws_on_non_ws_route: 0
    51. http.ingress_http.no_cluster: 0
    52. http.ingress_http.no_route: 0
    53. http.ingress_http.passthrough_internal_redirect_bad_location: 0
    54. http.ingress_http.passthrough_internal_redirect_no_route: 0
    55. http.ingress_http.passthrough_internal_redirect_predicate: 0
    56. http.ingress_http.passthrough_internal_redirect_too_many_redirects: 0
    57. http.ingress_http.passthrough_internal_redirect_unsafe_scheme: 0
    58. http.ingress_http.rq_direct_response: 0
    59. http.ingress_http.rq_redirect: 0
    60. http.ingress_http.rq_reset_after_downstream_response_started: 0
    61. http.ingress_http.rq_total: 3
    62. http.ingress_http.rs_too_large: 0
    63. http.ingress_http.tracing.client_enabled: 0
    64. http.ingress_http.tracing.health_check: 0
    65. http.ingress_http.tracing.not_traceable: 0
    66. http.ingress_http.tracing.random_sampling: 0
    67. http.ingress_http.tracing.service_forced: 0
    68. http.ingress_http.downstream_cx_length_ms: P0(nan,2.0) P25(nan,2.075) P50(nan,3.05) P75(nan,17.25) P90(nan,17.7) P95(nan,17.85) P99(nan,17.97) P99.5(nan,17.985) P99.9(nan,17.997) P100(nan,18.0)
    69. http.ingress_http.downstream_rq_time: P0(nan,1.0) P25(nan,1.075) P50(nan,2.05) P75(nan,16.25) P90(nan,16.7) P95(nan,16.85) P99(nan,16.97) P99.5(nan,16.985) P99.9(nan,16.997) P100(nan,17.0)

    You can also pass a format argument, for example to return json:

    1. [
    2.   {
    3.     "value": 0,
    4.     "name": "http.ingress_http.rq_direct_response"
    5.   },
    6.   {
    7.     "value": 0,
    8.     "name": "http.ingress_http.rq_redirect"
    9.   },
    10.   {
    11.     "value": 0,
    12.     "name": "http.ingress_http.rq_reset_after_downstream_response_started"
    13.   },
    14.   {
    15.     "value": 3,
    16.     "name": "http.ingress_http.rq_total"

    Envoy also has a web user interface that allows you to view and modify settings and statistics.

    Point your browser to http://localhost:9901.