Could we loose Backend endpoints IP loopback validation ?

[wengyao04]

Description:

Describe the desired behavior, what scenario it enables and how it
would be used.

Hi, we are using Envoy Gateway (EG) to manage traffic between our on-prem and public cloud services. However, in our internal network setup, we have a restriction that disable direct access to public cloud environments without routing traffic through an internal HTTP proxy.

The traffic flow is
client->envoy->[proxy2]->exampleorg.com

The issue is similar to envoyproxy/envoy#21175, where a loopback is required for tcp tunneling. We follow their solution to reach public cloud services.

After we upgrade EG, we find that the Backends IP loopback validation is added https://github.com/envoyproxy/gateway/blob/main/internal/gatewayapi/backend.go#L61-L63 which prevents us to create a loopback backend. Could we loose the Backend endpoints IP loopback validation ?

Your advice would be greatly appreciated.
Thank you!

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[zirain]

cc @guydc

[guydc]

Hi @wengyao04. Maybe you can use something like this: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/#adding-additional-entries-with-hostaliases to create a 127.0.0.1 alias that passes our validations (e.g. custom.local) then route to it in your backend. You'll probably need to patch the envoy deployment using EnvoyProxy CR.