Extending the Proxy Safely
Sometimes you need custom logic in the request path, like a bespoke auth check or header transform. WebAssembly, or Wasm, lets you load that logic into Envoy at runtime without recompiling the proxy.
Why Wasm Fits
- Sandboxed: a Wasm module runs in an isolated sandbox, so a buggy extension cannot crash or corrupt the proxy.
- Language choice: you can write extensions in Rust, Go, or C plus plus and compile to Wasm.
- Dynamic: modules load and update at runtime, pushed like any other mesh config, with no proxy restart.
How a Filter Works
A Wasm module plugs in as an HTTP filter in the request chain. On each request it gets callbacks at points like request headers received or response body ready, where it can inspect, modify, or reject the message.
The Trade Off
Wasm adds flexibility but also overhead per request and a more complex supply chain, since you now build and distribute modules. For logic the mesh already offers natively, prefer configuration. Reach for Wasm when your need is genuinely custom.
Key idea
Wasm lets you load sandboxed, language flexible custom filters into Envoy at runtime, extending proxy behavior safely without recompiling, at the cost of per request overhead.