Choosing between Envoy and HAProxy isn't just about picking a proxy server. It's about deciding which tool will handle your traffic, balance your loads, and keep your services running when everything else wants to crash.
If you're a DevOps engineer or system admin weighing these options, you're in the right place.
Origin and Evolution: The History Behind Envoy and HAProxy
HAProxy (High Availability Proxy) entered the scene in 2006, created by Willy Tarreau as a free, open-source TCP/HTTP load balancer designed for high availability systems.
With over 15 years of production hardening, it's become the go-to solution for many major websites. Written in C for performance reasons, HAProxy focuses on stability and reliability above all.
Envoya arrived a decade later in 2016, developed by Matt Klein at Lyft to solve the challenges of service-to-service communication in their microservices architecture. Envoy was built from the ground up to be a universal data plane for service mesh architectures.
In 2017, it was donated to the Cloud Native Computing Foundation (CNCF), joining Kubernetes as a CNCF project. Written in C++, Envoy puts extensibility and modern architectures at the forefront.
💡
If you're managing infrastructure, it's also worth brushing up on essential Unix commands that make day-to-day troubleshooting easier.
Core Architecture: Fundamental Design Differences
HAProxy's Event-Driven Single-Thread Architecture
HAProxy implements a single-threaded, event-driven architecture with process-per-core scaling. This design choice has significant implications:
- Process Isolation: Each HAProxy instance operates independently, preventing issues in one process from affecting others
- Non-blocking I/O: Uses event-driven polling (epoll on Linux) to handle thousands of connections without thread context switching
- Minimal Memory Overhead: Each connection consumes approximately 8KB of RAM
- Deterministic Resource Usage: Predictable CPU and memory usage even under heavy loads
- Zero-Copy Forwarding: Direct memory-to-memory data transfers without redundant copies
- Connection Buffers: Configurable buffer sizes to optimize memory usage
- Configuration Updates: Requires a soft restart (though seamless with proper setup) to apply new configurations
Envoy's Multi-Threaded Modern Architecture
Envoy takes a fundamentally different architectural approach with important implications:
- Single-Process Multi-Threading: Runs as a single process with multiple worker threads that share connection and state data
- Threading Model: Typically runs one worker thread per CPU core, each processing separate connections
- Hot Restart Mechanism: Can reload configuration without dropping connections—a key feature for production environments
- Dynamic Configuration: Supports real-time configuration updates via API without restarts
- Control Plane Integration: Uses xDS (discovery service) APIs for service discovery, load balancing policy updates, and route changes
- Filter Chain: Modular processing pipeline where each network or HTTP connection passes through configurable filters
- Extensibility: Both built-in and custom filters can be added to the processing pipeline
💡
When choosing between Envoy and HAProxy, understanding how each handles API latency can make a real difference in performance tuning.
Performance Analysis: Throughput, Latency, and Resource Utilization
Let's analyze the performance characteristics of both proxies based on benchmarks and production deployments:
| Performance Metric | HAProxy | Envoy | Notes |
|---|---|---|---|
| HTTP requests/sec (single core) | 40K-50K | 35K-45K | HAProxy has slight edge in raw HTTP throughput |
| HTTP/2 performance | Good | Excellent | Envoy optimized for HTTP/2 from the start |
| gRPC performance | Limited | Excellent | Envoy has native gRPC support |
| TCP connection rate | Up to 100K conn/sec | Up to 70K conn/sec | HAProxy excels at TCP connection handling |
| Connection overhead | ~2.5KB per connection | ~5KB per connection | HAProxy more memory-efficient per connection |
| Latency (P99) | Very low (sub-ms) | Low (1-2ms) | Both have excellent latency characteristics |
| CPU efficiency | Extremely high | High | HAProxy uses less CPU for equivalent workloads |
| Base memory footprint | ~20-30MB | ~40-60MB | HAProxy has smaller initial memory footprint |
| Memory scaling | Linear, very efficient | Linear, efficient | Both scale well with connection count |
Performance Considerations in Production Environments
- CPU Utilization: HAProxy typically uses 10-20% less CPU for equivalent HTTP workloads compared to Envoy
- Memory Usage Patterns:
- HAProxy: Base ~30MB + ~2.5KB per connection
- Envoy: Base ~50MB + ~5KB per connection
- Connection Scaling: Both handle tens of thousands of connections per instance but HAProxy tends to be more efficient at pure connection handling
- Protocol Impact:
- For HTTP/1.1: HAProxy generally outperforms
- For HTTP/2 & gRPC: Envoy often outperforms
- TLS Termination: Both perform similarly with modern OpenSSL, but HAProxy has a slight edge in pure TLS handshaking rate
- Hot Reload Impact:
- HAProxy: Brief spike in resource usage during reload
- Envoy: Smoother resource transition with its hot restart
Practical Production Measurements
Based on production deployments handling similar traffic patterns (10K req/sec with 5KB average payload):
- HAProxy: ~15% CPU (single core), ~200MB RAM
- Envoy: ~18% CPU (single core), ~280MB RAM
These differences become more pronounced at scale, but both proxies are highly optimized and suitable for production workloads.
💡
Whichever proxy you choose, keeping an eye on system health matters—here’s a quick guide to Ubuntu performance monitoring that might come in handy.
Feature Comparison: Capabilities and Extensions
HAProxy's Core Feature Set and Capabilities
HAProxy offers a robust set of features focused on reliability and performance:
- Protocol Support:
- HTTP/1.0, HTTP/1.1 with full keep-alive support
- HTTP/2 (since version 2.0)
- TCP proxying with byte-level manipulation
- WebSockets (with limitations)
- FastCGI
- Load Balancing Algorithms:
- Round robin (static and dynamic)
- Least connections
- Source IP hash (for session stickiness)
- URI hash
- URL parameter
- Header-based routing
- Random with weighting support
- Health Checking:
- Active health checks with configurable intervals
- Passive health checks (observing backend failures)
- Customizable health check methods and expected responses
- Rise/fall thresholds for stability
- Traffic Management:
- ACL-based traffic routing with complex condition support
- Rate limiting capabilities
- Connection limiting per backend
- Queuing with configurable timeouts
- Stick tables for tracking and persistence
- HTTP rewriting and redirection
- Security Features:
- TLS termination with SNI support
- Client certificate authentication
- HTTP basic auth
- IP allowlisting/blocklisting
- Connection limiting for DDoS mitigation
- CORS header management
- Monitoring:
- Built-in stats page with detailed metrics
- Prometheus exporter
- Syslog integration
- Custom log formats
Envoy's Advanced Feature Set and Extensions
Envoy provides a modern feature set designed for cloud-native environments:
- Protocol Support:
- HTTP/1.1 with keep-alive
- HTTP/2 (first-class support)
- HTTP/3 (QUIC)
- gRPC (native support with advanced features)
- TCP proxying
- UDP proxying
- WebSockets (first-class support)
- MongoDB, Redis, and DynamoDB filters
- Advanced Load Balancing:
- Zone-aware load balancing
- Locality-weighted load balancing
- Subset load balancing
- Circuit breaking
- Outlier detection (automatic removal of failing endpoints)
- Health-aware load balancing
- Least request, ring hash, random, Maglev consistent hashing
- Traffic Management:
- Request hedging
- Request mirroring
- Retry policies with backoff
- Timeout configuration at multiple levels
- Traffic shifting
- Request shadowing
- Rate limiting service integration
- Fault injection for testing
- Observability:
- Detailed distributed tracing integration (Zipkin, Jaeger, etc.)
- Statsd compatible metrics
- Prometheus integration
- Access logging with customizable formats
- Request/response header logging
- gRPC-JSON transcoder
- Security Features:
- Role-Based Access Control (RBAC)
- JWT authentication
- External auth service integration
- TLS inspector
- Original source IP preservation
- TLS/mTLS termination
- Service Mesh Features:
- First-class Istio integration
- xDS API for dynamic configuration
- Service discovery integration
- Metadata exchange
- Tap filter for traffic capture
- Extension Framework:
- WebAssembly (Wasm) extensions
- Custom filter support
- Lua scripting
- External processing filter
These feature sets demonstrate the different focuses of the two proxies: HAProxy aims for performance, stability, and battle-tested features, while Envoy targets modern architectures with extensive integrations and programmability.
💡
If observability is a key factor in your proxy decision, this explainer on auto-instrumentation breaks down how to get visibility without manual effort.
When to Choose Each
HAProxy Optimal Use Cases and Deployment Scenarios
HAProxy excels in these specific environments and workloads:
- High-Performance Edge Proxy Requirements:
- Public-facing websites requiring maximum throughput
- E-commerce platforms during high-traffic events (Black Friday, etc.)
- Content delivery networks where every millisecond counts
- Gaming backends requiring minimal latency
- Enterprise Load Balancing:
- Traditional multi-tier applications
- Enterprise Java application servers (Tomcat, JBoss, WebLogic)
- Oracle/SQL database load balancing
- Legacy application infrastructures
- Resource-Constrained Environments:
- IoT gateways with limited CPU/memory
- Embedded systems requiring proxying capabilities
- Edge computing with hardware limitations
- Budget-conscious deployments need maximum efficiency
- Stable, Infrequently Changing Infrastructure:
- Traditional deployment models with planned maintenance windows
- Systems with static backend configurations
- Environments where configuration changes follow change management processes
- Production systems requiring maximum stability
- TCP-Heavy Workloads:
- Database connection pooling (MySQL, PostgreSQL)
- SMTP/mail server load balancing
- Custom binary protocols
- LDAP and authentication services
Envoy Optimal Use Cases and Deployment Scenarios
Envoy is the better choice for these modern architectures and requirements:
- Kubernetes and Container Orchestration:
- Kubernetes ingress controllers (such as Contour)
- Service mesh implementations (Istio, Consul Connect)
- Container-to-container communication
- Dynamic scaling environments with frequent changes
- Microservices Architectures:
- East-west traffic (service-to-service) management
- Polyglot microservices with multiple protocols
- Systems requiring advanced retry mechanisms
- Circuit breaking and fault tolerance requirements
- Modern API Gateways:
- gRPC API management
- GraphQL server proxying
- API versioning and traffic splitting
- Backend for frontend (BFF) patterns
- Observability-Focused Organizations:
- Distributed tracing implementations
- Organizations with centralized logging requirements
- Teams leveraging metrics-driven autoscaling
- Complex debugging scenarios requiring traffic capture
- Multi-Region/Multi-Cloud Deployments:
- Global load balancing implementations
- Cross-region traffic management
- Locality-aware routing requirements
- Cloud migration strategies
Hybrid Approaches: Using Both Together
Many organizations leverage both proxies for their respective strengths:
- HAProxy at the edge/ingress for maximum performance
- Envoy for service mesh and service-to-service communication
- HAProxy for stable, known workloads
- Envoy for dynamic, cloud-native applications
💡
Running a proxy at scale? It helps to know what happens when memory runs out—this piece on OOM (Out of Memory) covers the basics.
Configuration Approach: Syntax and Management Differences
HAProxy's Configuration Approach and Management
HAProxy uses a custom, domain-specific configuration language with several key characteristics:
- Structure: Organized into clear sections (global, defaults, frontend, backend, listen)
- Syntax: Line-based configuration with simple key-value pairs
- Inheritance: Configs cascade from defaults to specific sections
- Variables: Limited variable support using ACLs and maps
- Readability: Designed for human readability with minimal nesting
- Validation: Strong built-in config validation with detailed error messages
- Size: Typical configs range from dozens to hundreds of lines
- Learning Curve: Moderate, with straightforward syntax but many options
Envoy's Configuration Approach and Management
Envoy utilizes a structured YAML or JSON format with a significantly different approach:
- Structure: Based on typed resources (listeners, clusters, routes, etc.)
- Syntax: Hierarchical with extensive nesting
- Dynamic Configuration: First-class support for API-based configuration via xDS
- Extensibility: Plugin system for custom filters and extensions
- Format: Deep nesting with references between components
- Readability: More verbose, requiring good tooling for management
- Size: Typical configs range from hundreds to thousands of lines
- Learning Curve: Steeper, with complex interconnected components
Configuration Management Approaches
Both proxies offer tools for configuration management, but with different philosophies:
- HAProxy:
- Command-line validation tools
- DataPlane API (REST API) for dynamic configuration
- Config templating with environment variables
- Integration with configuration management tools (Ansible, Chef, etc.)
- HAProxy Enterprise UI for visual configuration
- Envoy:
- xDS API suite for dynamic configuration
- API-first design for programmatic control
- Integration with service mesh control planes
- Hot restart capability for zero-downtime reloads
- Admin interface for runtime configuration inspection
Visibility into Traffic and Performance
HAProxy's Monitoring and Observability Features
HAProxy provides several built-in monitoring capabilities that make it popular among operators:
- Stats Page: Built-in HTML dashboard showing real-time metrics including:
- Frontend/backend status
- Server Health
- Connection rates and counts
- Error rates
- HTTP response code distribution
- Queue length
- Session rate
- Server response times
- Prometheus Integration:
- Official Prometheus exporter
- Comprehensive metrics exposure
- Ready-made Grafana dashboards
- Logging Capabilities:
- Highly customizable log formats
- Syslog integration
- Log sampling rates
- Request/response capture for debugging
- HTTP header logging
- Runtime API:
- Socket-based admin interface
- Runtime server enabling/disabling
- Weight adjustment during operation
- Real-time traffic inspection
- Health check forcing
💡
Fix production proxy server issues instantly—right from your IDE, with AI and Last9 MCP.
Envoy's Advanced Observability Ecosystem
Envoy was designed with observability as a first-class concern, offering more extensive capabilities:
- Statsd Integration:
- Built-in statsd and statsd-compatible metrics
- Configurable tagging
- Cluster, endpoint, and listener metrics
- Circuit breaker statistics
- Runtime metrics
- Distributed Tracing:
- Native integration with Zipkin, Jaeger, Datadog
- OpenTelemetry support
- Trace propagation across services
- Sampling configuration
- Span enrichment
- Access Logging:
- Customizable formatting (text or JSON)
- Multiple sink types (file, gRPC, HTTP)
- Conditional logging based on request properties
- Rate-limited logging
- Downstream and upstream logging
- Admin Interface:
- HTTP admin endpoint (default at port 9901)
- Runtime configuration viewing and modification
- Server info and config dump
- Logging level adjustment
- Memory profiling
Monitoring Integration Comparison
| Monitoring Feature | HAProxy | Envoy |
|---|---|---|
| Built-in metrics dashboard | Yes, comprehensive stats page | Yes, limited admin interface |
| Prometheus integration | Via exporter | Native |
| Grafana dashboards | Community-provided | Official and community |
| Log formats | Customizable, syslog | Highly customizable, multiple sinks |
| Distributed tracing | Third-party integration | First-class support |
| Health check metrics | Detailed | Comprehensive |
| Latency metrics | Backend response time | Detailed request stages |
| Runtime metric adjustment | Yes, via socket | Yes, via admin interface |
| TLS metrics | Limited | Comprehensive |
| Connection draining visibility | Yes | Yes, with more detail |
Security Features and Considerations
HAProxy Security Features and Capabilities
HAProxy provides robust security features centered around defense-in-depth principles:
- TLS/SSL Management:
- TLS termination and offloading
- SNI (Server Name Indication) support
- Modern cipher suite configuration
- OCSP stapling
- Certificate-based authentication
- Access Control:
- Flexible ACL system
- IP allowlisting/blocklisting
- Geolocation-based restrictions (with additional maps)
- Request rate limiting
- Connection limiting per source IP
- Attack Mitigation:
- HTTP request validation
- Buffer overflow protection
- Timeout configurations for various stages
- HTTP/2 security settings
- Broken header detection
- Authentication Options:
- HTTP Basic authentication
- Client certificate validation
- External authentication service integration
- OAuth integration (via LUA)
💡
Working with proxies often means jumping into the terminal—this Linux commands cheat sheet keeps the essentials close.
Envoy Security Architecture and Features
Envoy takes a more programmatic approach to security with a focus on zero-trust architectures:
- TLS Management:
- TLS 1.2 and 1.3 support
- Dynamic certificate rotation
- Multiple certificate configs for SNI
- Certificate validation with advanced options
- Automatic certificate rotation
- Authentication Mechanisms:
- JWT Authentication filter
- External Authentication service (gRPC/HTTP)
- Role-Based Access Control (RBAC)
- mTLS authentication for service-to-service communication
- OAuth integration
- Network Security:
- Automatic request sanitization
- HTTP/2 protocol validation
- Rate limiting service integration
- IP address tagging
- Original client IP preservation
- Advanced Features:
- Header sanitization
- Request validation service
- Secure inspection of TLS traffic (with mTLS)
- Fine-grained traffic policies
- Threat detection with WAF integration
Security Feature Comparison
| Security Feature | HAProxy | Envoy |
|---|---|---|
| TLS termination | Strong support | Strong support |
| mTLS for services | Limited, complex setup | Native, first-class |
| Certificate rotation | Manual process | Dynamic support |
| Rate limiting | Built-in | Via rate limit service |
| WAF integration | Via SPOE or third-party | Via external filter |
| Authentication | Basic, custom via LUA | JWT, external service |
| RBAC | Not built-in | Native support |
| Request validation | Via ACLs | Via validation service |
| DOS protection | Built-in rate limiting | External rate limit service |
| Header sanitization | Manual configuration | Built-in capabilities |
Support, Development, and Integration
HAProxy Community and Ecosystem
HAProxy has established a mature community and ecosystem over its long history:
- Community Support:
- Active mailing list
- Stack Overflow presence
- GitHub repository with active issues
- Regular community conferences
- Extensive official documentation
- Commercial Support:
- HAProxy Technologies offers enterprise support
- HAProxy Enterprise with additional features
- Professional services and training
- 24/7 production support options
- Long-term support releases
- Release Cadence:
- Major releases approximately once per year
- Maintenance releases throughout the year
- Long-term support for enterprise customers
- Stability-focused development approach
- Conservative feature addition
- Integration Ecosystem:
- Kubernetes ingress controller
- Official Docker images
- Configuration management tools integration (Ansible, Chef, Puppet)
- Service discovery integrations (Consul, etcd)
- Cloud provider templates
Envoy Community and Ecosystem
Envoy has built a different type of ecosystem as a CNCF graduated project:
- Community Support:
- Active Slack channel
- GitHub repository with a vibrant community
- Regular EnvoyCon conferences
- CNCF backing
- Growing documentation
- Commercial Support:
- Multiple vendors providing Envoy-based solutions
- No single commercial entity
- Support through service mesh providers (Istio, Consul, etc.)
- Cloud provider support
- Release Cadence:
- Quarterly major releases
- Feature-focused development
- Rapid evolution
- API versioning for compatibility
- Deprecation policy for breaking changes
- Integration Ecosystem:
- Core component of multiple service mesh implementations
- Native Kubernetes integration
- Cloud-native architecture focus
- xDS API for third-party control planes
- WebAssembly extension ecosystem
💡
Choosing the right proxy is just part of the story—this guide on log retention helps you plan for what comes after.
Ecosystem Comparison
| Ecosystem Aspect | HAProxy | Envoy |
|---|---|---|
| Project Age | Since 2006 | Since 2016 |
| Governance | Corporate-led | CNCF project |
| Documentation | Comprehensive, mature | Growing, improving |
| Third-party extensions | LUA, SPOE | Filters, WebAssembly |
| Service mesh integration | Limited | Extensive |
| Kubernetes native | Via ingress controller | Core component |
| Commercial offerings | Single vendor | Multiple vendors |
| Control plane options | Limited | Extensive |
| Community size | Large, established | Large, growing |
| Enterprise adoption | Widespread | Growing rapidly |
Decision Framework: Choosing Between Envoy and HAProxy
When choosing between Envoy and HAProxy, consider these key decision factors:
Technical Requirements Assessment
- Performance Requirements:
- Choose HAProxy if: Raw HTTP/TCP throughput and minimal resource usage are your top priorities
- Choose Envoy if: You need advanced load-balancing features and can afford slightly higher resource usage
- Protocol Support Needs:
- Choose HAProxy if: Your workloads are primarily HTTP/1.x and TCP
- Choose Envoy if: You need HTTP/2, gRPC, and WebSockets with first-class support
- Observability Requirements:
- Choose HAProxy if: Basic metrics and logging meet your needs
- Choose Envoy if: Distributed tracing and detailed observability are critical
- Configuration Complexity Tolerance:
- Choose HAProxy if: You prefer a simpler, text-based configuration
- Choose Envoy if: You're comfortable with more complex YAML but need greater flexibility
Environment and Architecture Compatibility
- Deployment Context:
- Choose HAProxy if: You're in a traditional infrastructure with static backends
- Choose Envoy if: You're running containers, Kubernetes, or microservices
- Scaling Patterns:
- Choose HAProxy if: You scale vertically or with static scaling patterns
- Choose Envoy if: You use dynamic auto-scaling and need runtime reconfiguration
- Control Plane Integration:
- Choose HAProxy if: You manage configuration manually or with configuration management tools
- Choose Envoy if: You want a programmable proxy integrated with service mesh control planes
- Security Requirements:
- Choose HAProxy if: Traditional security controls are sufficient
- Choose Envoy if: You need zero-trust security models and service-to-service authentication
Organizational Factors
- Team Experience:
- Choose HAProxy if: Your team has experience with traditional load balancers
- Choose Envoy if: Your team is familiar with cloud-native technologies
- Support Requirements:
- Choose HAProxy if: You need commercial support from a single vendor
- Choose Envoy if: You're comfortable with community support or multiple vendors
- Roadmap Alignment:
- Choose HAProxy if: Stability and predictability are most important
- Choose Envoy if: Rapid feature development and cloud-native integration are priorities
Final Thoughts
The Envoy vs HAProxy decision comes down to your specific needs:
- HAProxy excels at: High performance, resource efficiency, stability, and straightforward configuration
- Envoy excels at: Modern protocols, observability, dynamic configuration, and service mesh integration
Both tools are excellent at what they do. Your architecture, team skills, and future growth plans should guide your choice more than any general recommendation.
💡
Drop a comment in our Discord community about which one you're using and why — we'd love to hear about your experiences!
