← Lessons

quiz vs the machine

Silver1100

System Design

The Sidecar Proxy and Envoy

How a proxy deployed next to each service intercepts all traffic transparently.

4 min read · intro · beat Silver to climb

The Sidecar Pattern

A sidecar is a helper process deployed alongside your application, sharing its network namespace. In a mesh, the sidecar is a proxy that intercepts every inbound and outbound connection. The most common sidecar proxy is Envoy.

How Interception Works

  • Traffic from the app is redirected to the local proxy, often using iptables rules.
  • The proxy applies policy such as encryption, retries, and routing.
  • The app itself is unaware that a proxy sits in the path.

This transparency is the magic. Developers write plain HTTP or gRPC calls, and the sidecar adds reliability and security underneath.

Why Envoy

Envoy is a high performance proxy built for this role. It speaks HTTP, HTTP2, and gRPC, exposes rich metrics, and accepts configuration over a streaming API so the control plane can update it live.

The Cost

Each sidecar uses memory and CPU and adds a small hop of latency. Across thousands of pods that adds up, which is why teams tune proxy resources carefully and why sidecarless designs are emerging.

Key idea

A sidecar proxy like Envoy sits beside each service and transparently intercepts its traffic, adding security and reliability without changing app code.

Check yourself

Answer to earn rating on the learn ladder.

1. How does a sidecar proxy intercept application traffic?

2. Which proxy is most commonly used as a mesh sidecar?