Envoy · Rate Limits
Envoy Rate Limits
Envoy is open-source software, not a hosted service, so the Envoy project does not impose request limits. Instead, Envoy is itself a tool for enforcing rate limits — operators configure local (token-bucket) and global (rate-limit-service) policies on their own deployments. Limits documented here describe Envoy's role as a rate-limit enforcer rather than as a constrained API.
3 Limits
Throttle: 429
Cloud NativeProxyService MeshRate LimitingOpen Source
Limits
Operator-Configured Local Rate Limit operator-defined
operator-defined (token bucket)
Token-bucket filter applied per route/virtual-host; operator sets max_tokens and tokens_per_fill / fill_interval.
Operator-Configured Global Rate Limit operator-defined
operator-defined (RLS)
Distributed rate limiting via an external Rate Limit Service (RLS); descriptors and limits are defined by the operator.
Admin Endpoint Access local
localhost-only by default
The admin interface is intended to be bound to a non-public address; protect via network controls rather than rate limits.
Policies
Project as Rate-Limit Tool
Envoy is the enforcement point — operators configure their own ingress/egress rate limits using local (in-process) and/or global (RLS-backed) filters.
429 Response Convention
Envoy returns HTTP 429 (Too Many Requests) when configured rate-limit thresholds are exceeded; operators may customize response headers and status code.
Backpressure
At the data-plane level, Envoy supports circuit breakers, connection pool limits, and retry budgets in addition to rate limiting.