Understanding Kubernetes Networking: Port-Forward, Envoy Proxy, and Ingress

Kubernetes (K8s) has revolutionized how we deploy, manage, and scale applications. However, understanding how network traffic flows inside and outside the cluster can still be challenging for many developers.
In this post, we’ll explore three important concepts in Kubernetes networking — Port-Forward, Envoy Proxy, and Ingress — and understand how they fit together to enable secure and efficient communication in a Kubernetes environment.

Port-Forward — Quick Access to Pods for Debugging

Port forwarding is the simplest way to access an application running inside a Kubernetes cluster from your local machine.
It allows you to temporarily map a local port to a port inside a Pod, bypassing the need for complex networking configurations.

Example

1
kubectl port-forward pod/my-app-pod 8080:80

This command forwards traffic from your local port 8080 to port 80 of the my-app-pod.
You can now access the application locally using:

1
http://localhost:8080

When to Use

  • Debugging or testing a service inside the cluster.
  • Accessing a Pod that doesn’t expose a Service or Ingress.
  • Temporary local development access.

Limitations

  • Port-forward is not suitable for production.
  • It only works for local, one-off connections.
  • It can become inefficient when multiple Pods or replicas are involved.

Envoy Proxy — The Modern Cloud-Native Proxy

Envoy is a high-performance, open-source edge and service proxy originally developed by Lyft.
It plays a critical role in many service mesh architectures, such as Istio, and is designed to handle observability, load balancing, and security between microservices.

Key Features

  • Layer 7 (HTTP) load balancing
  • Traffic routing and retries
  • Circuit breaking and rate limiting
  • mTLS (mutual TLS) encryption
  • Detailed metrics and tracing

In Kubernetes, Envoy typically runs as a sidecar container alongside your application Pod.
This pattern intercepts all inbound and outbound traffic, enabling fine-grained control over how services communicate.

Example (Sidecar Setup)

A Pod definition with Envoy sidecar might look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: v1
kind: Pod
metadata:
  name: my-custom-website
spec:
  containers:
  - name: my-custom-pod
    image: localhost:5000/node-web
    ports:
    - name: http
      containerPort: 8080
  - name: envoy
    image: luksa/kubia-ssl-proxy:1.0
    ports:
    - name: https
      containerPort: 8443
    - name: admin
      containerPort: 9901

Use Cases

  • Implementing a service mesh (e.g., Istio, Consul, or Linkerd).
  • Securing inter-service communication with mTLS.
  • Routing and observability in microservice architectures.

Ingress — Managing External Access to Your Services

While Port-Forward and Envoy handle internal traffic, Ingress is how external clients reach your Kubernetes services.
An Ingress is an API object that manages external HTTP and HTTPS access to services inside a cluster.
It acts as an entry point, usually backed by an Ingress Controller such as NGINX, Traefik, or Envoy Gateway.

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app-ingress
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app-service
            port:
              number: 80

With this configuration, any traffic to http://myapp.example.com will be routed to the Kubernetes Service my-app-service on port 80.

Benefits

  • Centralized control for routing and SSL termination.
  • Simplifies managing multiple services under one domain.
  • Can integrate with external load balancers and DNS.

Things to Note

  • You must install an Ingress Controller (the Ingress resource alone doesn’t route traffic).
  • Configuration and annotations vary between controllers.

Comparison

Component Purpose Typical Use Case
Port-Forward Local access to a Pod Debugging, testing
Envoy Proxy Service-to-service communication Service mesh, mTLS, observability
Ingress External access routing Expose apps to the internet

Each of these components operates at a different layer of the Kubernetes networking stack:

  • Port-Forward → developer convenience
  • Envoy → internal microservice communication
  • Ingress → external user access

Together, they form the foundation of secure and efficient communication in modern Kubernetes deployments.