Envoy vs HAProxy – What’s the Difference? (Pros and Cons)

Envoy vs HAProxy – What’s the Difference? (Pros and Cons). In the evolving world of digital technology, the implementation of proxy servers is essential for businesses that serve content over the internet. Proxy servers are intermediaries connecting end users and the servers where content is located. They effectively manage network traffic and ensure optimal performance and security. By utilizing a proxy server, companies benefit from better load distribution and minimal service downtime. 

As demand for these services expands, understanding and selecting the right proxy solution is vital. Envoy and HAProxy are among the leading proxy solutions. Both offer unique features and capabilities suited to different needs. Envoy is a cutting edge, high performance edge and service proxy that caters to an array of network protocols and functions. In contrast, HAProxy is a reliable and high performance proxy that’s a popular choice for load balancing

This article discusses Envoy vs HAProxy – What’s the Difference? so you make a well informed decision about the best suitable proxy for your business needs.

What is Envoy?

Envoy is an open source, high performance, edge and service proxy designed to manage and route network traffic between microservices in modern, distributed architectures. Ideal choice for cloud native applications and service mesh implementations. This Proxy is written in C++ language allowing for efficient memory and resource management.

Usually, you run Envoy as a sidecar alongside each service within an application, which in turn abstracts the network from the central business logic. In addition to load balancing, Envoy also offers resiliency features such as circuit breakers, timeouts, observability, metrics, retries, and much more. Use Envoy as a network API gateway, known as discovery services or Xds.

Features of Envoy


Envoy proxy ensures the smooth operation of the service mesh by offering users access logging, statistics, as well as distributed tracing for site engineers. It generates detailed logs and metrics as well as data tracing. This provides deep insights into network traffic, service performance, and potential bottlenecks. Improves monitoring, troubleshooting, and optimizing the system.

Envoy provides statistics for upstream (proxy receiving downstream requests), downstream (an external sending request), and server (for processing client requests), which help engineers to better understand network traffic.

Front/Edge Proxy Support

 Envoy contains a set of features that make it suitable for use as an edge proxy for a majority of modern web apps. These features include HTTP L7 routing, HTTP/1.1 HTTP/2 and HTTP/3 support, as well as TLS termination.

System Diagnostics

Envoy actively does health checks, together with service discovery on the services within a cluster to perform load balancing.

HTTP L7 Routing

Envoy Proxy advanced Layer 7 (L7) routing capabilities for HTTP traffic. You are able to redirect requests depending on parameters like authority, path, runtime values, and content type.

Some of the key features of Envoy’s HTTP L7 routing include:

  • Host, Path, Header based routing.
  • Traffic splitting.
  • Weighted routing.
  • Request retries and timeouts.

HTTP/1.1, HTTP/2, and HTTP/3 Support

Envoy supports HTTP/1.1, HTTP/2, and HTTP/3 protocols which aid in bridging the communication channel between target and client servers. Envoy also supports gRPC (a fork of the HTTP/2 protocol) which you use as the load balancing and routing substrate for gPRC requests and responses. 

L3/L4 Filter Architecture

Envoy is primarily an L3/L4 network proxy, helping to enable communication within the transport and network layers. Use Envoy’s built in filters to run various tasks such as serving as a UDP proxy, an HTTP proxy, a raw TCP proxy, and a TLS client certificate authentication authority.

Pros of Envoy

  • Facilitates searchability and congruence across your organization.
  • Extremely fast for request traffic and handles thousands of requests per second.
  • Highly extensible with a filter chain architecture to create your filters and plug them into the Envoy proxy.
  • Easy tp configuration procedure.
  • Efficient memory management.

Cons of Envoy

  • Requires proper understanding of memory allocation.
  • Envoy’s output model does not have a master or leader thread which is confusing.

Follow this article about Envoy vs HAProxy – What’s the Difference? to learn about HAProxy next. 

What is HAProxy?

HAProxy or High Availability Proxy is an open source proxying solution and TCP/HTTP Load Balancer. HAProxy runs on multiple platforms including Linux, FreeBSD, and macOS. Improves the performance of your server environment by spreading the workload across multiple servers like a web and applications.

HAProxy provides higher throughput and faster response improving performance. Best suited for high traffic sites, where concurrent connections exceed the capacity of a single server. Instead of a customer connecting to one server, the customer connects to an HAProxy instance. It employs a reverse proxy to send the request to one of the available servers.

Features of HAProxy

Load Balancing

Powerful load balancing capabilities that manage receiving and forwarding messages to another backend. It listens on either a UDP or TCP port, or both, and forward the output through UDP or TCP. HAProxy serves as a log collection point that consumes logs from applications and then sends them to a central log aggregation server. 

The ability to listen for both TCP and UDP Syslog messages allows HAProxy to integrate with various software. 

Data Plane

Haproxy’s data plane API and flexible configuration language provides the materials you need to define simple and complex routing rules. Dynamically add and configure traffic routing logic, frontends, and backends. Use it to update logging endpoints, manage stick table rules, and create SPOE filters.

SSL Termination

HAProxy supports SSL termination for both TCP and HTTP traffic. Basically, this is decrypting encrypted traffic before forwarding it to the backend servers. Instead of using web server, use SSL termination to minimize the load on individual servers. This speeds up the process but also enables the web server to focus on its primary task of delivering web content.

Service Discovery

HAProxy supports service discovery by integrating with external service discovery mechanisms. This allows it to dynamically update its backend server list and health status. HAProxy lets you use DNS service discovery to discover server changes and automatically apply them to your configuration. Use DNS for service discovery to integrate HAProxy with the consul.

Pros of HAProxy

  • Highly scalable.
  • Write rules to either block or allow specific file requests.

Cons of HAProxy

  • Does not support the HTTP cache.
  • The GUI is less responsive.

We are at the point of the main part of the article about Envoy vs HAProxy – What’s the Difference? 

Main Difference Between Envoy and HAProxy

Load Balancing

First comparison of Envoy vs HAProxy – What’s the Difference? shows that Envoy proxy’s design mainly caters to cloud native apps. Unlike HAProxy, Envoy uses a more advanced threading model that has worker threads. This model allows it to run in one individual process but still achieve parallelism using every device available to it. Envoy also supports multiple configurations such as API based configuration, static configuration, and service discovery based configurations.

HAProxy is a microcode optimized load balancer that follows an event driven model. Uses an inverted I/O approach for serving traffic that handles I/O bound workloads like network traffic very fast. However, it does restrict parallelism across multiple computers. To address this, HAProxy allows you to run multiple worker processes, which fork from the HAProxy control process.

Request Handling

Envoy uses an event based model to handle requests. The main thread handles, configuration processing, as well as the server lifecycle. Meanwhile, some worker threads process the request.

Every thread operates around an event loop which is also known as a libevent. All downstream TCP connections and their multiplexed streams are handled by exactly one worker thread for its lifetime. Each worker thread has its pool of TCP connections to upstream servers.

Since HAProxy is a reverse proxy, it handles incoming requests and data before it reaches the server. Acts as a traffic controller, defining where the requests goes, making sure all the information arrive and blocks cyber security threads. The traffic controlling capabilities of HAProxy make it an efficient load balancer.

Modes of Deployment

Envoy functions like any other proxy. It receives requests and directs them to services that are positioned behind it. The 2 methods to deploy Envoy are:

  • Front proxy – behaves similarly to HAProxy, NGINX, or Apache web server. The Envoy server has its IP address and is positioned separately on the network from the services it guards. Internet traffic comes in and is forwarded to several different services that sit behind it.
  • Sidecar Proxy – In this mode of deployment, the Envoy server sits at the same IP address as all the services that it protects. When Envoy is deployed as a sidecar it only has a single instance behind it. The sidecar method intercepts all incoming traffic and optionally all outgoing traffic on behalf of the service instance. Use the IP Table rules to configure the OS to capture and route this traffic to Envoy.

HAProxy runs in two modes: HTTP or TCP. In HTTP mode, it acts as a layer 7 proxy. In TCP mode it acts as a layer 4 proxy. When running in TCP mode, HAProxy has access to the port and IP address that the client is trying to connect to on the backend server. It intercepts information by replacing the server with the target IP address and port. 

Health Check

Envoy supports 3 different types of health checking together as well as some settings like failures required before marking a host healthy, check interval, etc.

  • HTTP health checking Envoy sends an HTTP request to the upstream host. If the host is healthy it gives a 200 response. 
  • gRPC health checking Envoy sends gRPC requests to the upstream hosts. The default expected response for a healthy host is a 200 code.
  • L3/L4 health checks, Envoy sends a configurable byte buffer to the upstream host. If the host is healthy it echoes the byte buffer in the response.

HAProxy supports the following methods of health checking:

  • Agent Checks- where HAProxy connects to an agent program running on the backend server. As a response to the agent health check, the agent program responds with a string of ASCII text that triggers a change in the load balancer.
  • ARP- when you’re load balancing UDP based services through the LB L4 tab, you health check your servers using the ARP (Address Resolution Protocol) to check if a server with a specific IP address exists on the network.
  • ICMP- if you are load balancing UDP based services through the LB Layer 4 tab, you check the health of your servers by pinging them with the ICMP to see if they are operational.
  • TCP – this health check attempts to connect to the server’s TCP port. The check is successful if the server responds with an SYN/ACK packet.

Use Cases

Envoy is a high performance proxy designed for cloud based service architectures. Serves as a standalone proxying layer or as a universal data plane. Ideal for DevOps teams searching for an open source edge and service proxy for cloud based applications.

HAProxy is best suited for use in web applications or websites that expect large amounts of sporadic traffic that might spike. Enterprises, site reliability managers, and IT technicians use HAProxy’s load balancing to minimize downtime.

API Support

Envoy does have a REST API. Envoy’s API receives form-encoded request bodies, replies with JSON-encoded responses, and applies standard HTTP response verbs, authentication, and codes.

HAProxy does not contain an API that you use to modify configurations such as, create backends and frontends. HAProxy’s commercial edition does have a Data Plane API. Which follows its own release schedule and is fully independent from HAProxy’s runtime.

Thank you for reading about Envoy vs HAProxy – What’s the Difference? (Pros and Cons). We shall conclude the article. 

Envoy vs HAProxy – What’s the Difference? (Pros and Cons) Conclusion

Envoy and HAProxy offer unique and valuable features that cater to different needs and requirements. Envoy shines with its advanced features, such as observability, front/edge proxy support, system diagnostics, and L7 routing, making it well suited for cloud native applications and service mesh implementations. On the other hand, HAProxy is an excellent choice for high-traffic websites and web applications, providing handy features like log forwarding, data plane, SSL termination, and service discovery.

When deciding between Envoy and HAProxy, it is crucial to consider the specific use case and infrastructure requirements. While Envoy is ideal for cloud based service architectures and DevOps teams looking for an edge and service proxy, HAProxy excels in managing high traffic web applications or websites with load balancing needs.

Avatar for Dennis Muvaa
Dennis Muvaa

Dennis is an expert content writer and SEO strategist in cloud technologies such as AWS, Azure, and GCP. He's also experienced in cybersecurity, big data, and AI.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x