Features and Benefits

In cloud-native organizations, developers frequently take on responsibility for the full development lifecycle of a service, from development to QA to operations. Emissary was specifically designed for these organizations where developers have operational responsibility for their service(s).

As such, the Emissary is designed to be used by both developers and operators.

Self-Service via Kubernetes Annotations

Emissary is built from the start to support self-service deployments – a developer working on a new service doesn’t have to go to Operations to get their service added to the mesh, they can do it themselves in a matter of seconds. Likewise, a developer can remove their service from the mesh, or merge services, or separate services, as needed, at their convenience. All of these operations are performed via Kubernetes annotations, so it can easily integrate with your existing development workflow.

Flexible canary deployments

Canary deployments are an essential component of cloud-native development workflows. In a canary deployment, a small percentage of production traffic is routed to a new version of a service to test it under real-world conditions. Emissary allows developers to easily control and manage the amount of traffic routed to a given service through annotations. This tutorial covers a complete canary workflow using the Emissary.

Kubernetes-native architecture

Emissary relies entirely on Kubernetes for reliability, availability, and scalability. For example, Emissary persists all state in Kubernetes, instead of requiring a separate database. Scaling the Emissary is as simple as changing the replicas in your deployment, or using a horizontal pod autoscaler.

Emissary uses Envoy for all traffic routing and proxying. Envoy is a modern L7 proxy that is used in production at companies including Lyft, Apple, Google, and Stripe.

gRPC and HTTP/2 support

Emissary fully supports gRPC and HTTP/2 routing, thanks to Envoy’s extensive capabilities in this area. See gRPC and the Emissary for more information.

Istio Integration

Emissary integrates with the Istio service mesh as the edge proxy. In this configuration, Emissary routes external traffic to the internal Istio service mesh. See Istio and the Emissary for details.

Authentication

Emissary supports authenticating incoming requests with a custom authentication service, and Ambassador Edge Stack natively supports OAuth/OpenID Connect, or JWT. When configured, the Ambassador Edge Stack will check with a third party authentication service prior to routing an incoming request. For more information, see the authentication guide.

Rate limiting

Emissary supports rate limiting incoming requests. When configured, the Emissary will check with a third party rate limit service prior to routing an incoming request. For more information, see the rate limiting guide.

Integrated UI

Emissary includes a diagnostics service so that you can quickly debug issues associated with configuring the Emissary. For more information, see running Emissary in Production.