Wasm Builders

Emre Savcı
Emre Savcı

Posted on

Extending Envoy Proxy - WASM Filter with Golang

Image description

Envoy is an open source service proxy especially designed for cloud native applications. It has a wide variety of features like connection pooling, retry mechanism, TLS management, compression, health checking, fault injection, rate limiting, authorization etc. Those are achieved with built-in http filters. And today I will talk about a special filter which name is WASM Filter.

Drawed in excalidraw.com by Emre Savcı<br>

This article is not meant for explaining what is WASM, so I am skipping explaining WASM instead I will add resources for that at the end of the article.

Why We Use WASM Filter

In Trendyol Tech. We are using Istio as a service mesh. And our team’s (DevX) responsibility is improving developer experience by developing applications which meets common requirements of microservice’s like caching, authorization, rate limiting, cross cluster service discovery etc.

Since we already use Istio why not take advantages of the power of Envoy Proxy’s extensibility.

Our use case is acquiring JWT token for microservice’s which identifies that microservice application. When we want to avoid every team to write the same code in different languages, we can create a WASM Filter and inject it into Envoy Proxies.

Advantages of WASM Filters:

  • It allows to write code in any language which has WASM support
  • Dynamically load code to Envoy
  • WASM code is isolated from Envoy so crashes in WASM not affect Envoy

In Envoy Proxy there are worker threads that handles incoming requests. Every worker thread has its own WASM VM. So if you write time based operational code it works separately for every thread.

In Envoy Proxy every worker thread isolated from each other and has one or multiple WASM VM. There is also a concept called WASM Service for inter thread communications and data sharing (we are not cover this).

Drawed in excalidraw.com by Emre Savcı

Writing WASM in Go

We are going to use tetratelabs/proxy-wasm-go-sdk to write WASM in Go. We also need TinyGo to build our Go code as WASM.

Our use case is very simple so we write a code which sends request to JWT Api for every 15 second. It extracts authorization header and sets it’s value to a global variable and puts that value to response header of every incoming request. We also set “hello from wasm” value to another header called “x-wasm-filter“.

In the OnTick function we are making http call to a service known by Envoy as cluster.

Let’s build our go code as WASM:

tinygo build -o optimized.wasm -scheduler=none -target=wasi ./main.go
Enter fullscreen mode Exit fullscreen mode

Now we need to configure Envoy Proxy to use WASM Filter for incoming requests. We will define a routing rule and a WASM filter for our WASM code, also we define a cluster which represents our service.

I put all of the files into same directory. Now let’s run Envoy Proxy in Docker:

docker run -it — rm -v "$PWD"/envoy.yaml:/etc/envoy/envoy.yaml -v "$PWD"/optimized.wasm:/etc/envoy/optimized.wasm -p 9901:9901 -p 10000:10000 envoyproxy/envoy:v1.17.0
Enter fullscreen mode Exit fullscreen mode

As we can see from logs our WASM Filter started to work and sending request to JWT Api in every 15 secon

Image description

Now let’s send a request to Envoy Proxy. We configure Envoy to listen incoming requests from 1000 port and we start our container with port mapping. So we can send request to localhost:10000:

Image description

In the response headers we can see “x-wasm-filter: hello from wasm” and “x-auth” values.

Thank you for reading so far. I hope it will give you a perspective about how and why use WASM in Envoy Proxy.

You can see full example in github:

GitHub logo mstrYoda / envoy-proxy-wasm-filter-golang

A WASM Filter for Envoy Proxy written in Golang


A WASM Filter for Envoy Proxy written in Golang


tinygo build -o optimized.wasm -scheduler=none -target=wasi ./main.go

Run Envoy Proxy in Docker with WASM Filter

docker run -it --rm -v "$PWD"/envoy.yaml:/etc/envoy/envoy.yaml -v "$PWD"/optimized.wasm:/etc/envoy/optimized.wasm -p 9901:9901 -p 10000:10000 envoyproxy/envoy:v1.17.0


WebAssembly | MDN

WebAssembly is a new type of code that can be run in modern web browsers — it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages such as C/C++, C# and Rust with a compilation target so that they can run on the web. It is also designed to run alongside JavaScript, allowing both to work together.

favicon developer.mozilla.org

Wasm Modules and Envoy Extensibility Explained, Part 1 – The New Stack

If you've ever wondered what WebAssembly (Wasm) is and how it fits into the service mesh ecosystem, this is the article you want to read.

favicon thenewstack.io

GitHub logo tetratelabs / proxy-wasm-go-sdk

WebAssembly for Proxies (Go SDK)

This project is in its early stage, and the API is likely to change and not stable.

WebAssembly for Proxies (Go SDK) Build License

The Go SDK for Proxy-Wasm, enabling developers to write Proxy-Wasm plugins in Go This SDK is powered by TinyGo and does not support the official Go compiler.

Getting Started

  • examples directory contains the example codes on top of this SDK.
  • OVERVIEW.md the overview of Proxy-Wasm, the API of this SDK, and the things you should know when writing plugins.


  • Go 1.17 or higher.
  • TinyGo - This SDK depends on TinyGo and leverages its WASI (WebAssembly System Interface) target. Please follow the official instruction here for installing TinyGo.
  • Envoy - To run compiled examples, you need to have Envoy binary. We recommend using func-e as the easiest way to get started with Envoy. Alternatively, you can follow the official instruction.


go get cannot be used…

Image description

You can follow me on:

Discussion (0)