Envoy

Envoy is the proxy that powers the modern service mesh. Originally built at Lyft, it handles L4/L7 traffic management, load balancing, observability, and TLS termination for microservices at massive scale. Istio, Ambassador, and Gloo all sit on top of Envoy.

If you're building a platform team managing traffic between services, Envoy is the building block. NGINX is the traditional reverse proxy — simpler, battle-tested, but less dynamic. HAProxy excels at pure load balancing with lower overhead. Traefik is the Kubernetes-native alternative with auto-discovery. Commercially, cloud load balancers (AWS ALB, GCP LB) handle most use cases without running your own proxy.

The hot-reload configuration (via xDS APIs) is what sets Envoy apart. Change routing rules without restarting the proxy. That's critical at scale.

The catch: Envoy is infrastructure for infrastructure teams. The configuration is verbose and complex. You'll likely use it through a higher-level tool (Istio, Ambassador) rather than configuring it directly. Running Envoy raw requires deep networking knowledge, and the C++ codebase means custom extensions aren't casual weekend projects.