๐Key Takeaways
- 1Forward proxy: sits in front of clients (VPN, corporate firewall, privacy); Reverse proxy: sits in front of servers (load balancing, SSL, caching)
- 2A reverse proxy is essentially what most people mean by 'load balancer' โ Nginx, HAProxy, Envoy
- 3Service mesh (Istio/Envoy) is a proxy infrastructure for microservices โ handles routing, security, observability
- 4API Gateways are specialized reverse proxies with auth, rate limiting, and API management
Forward vs Reverse Proxy
A proxy is an intermediary that sits between clients and servers. The direction determines the type: forward proxy acts on behalf of clients (hiding client identity), reverse proxy acts on behalf of servers (hiding server infrastructure).
In system design, you'll almost always work with reverse proxies โ Nginx, Envoy, and Traefik are the most common.
Proxy Types
| Type | Sits in front of | Purpose | Examples |
|---|---|---|---|
| Forward Proxy | Clients | Privacy, access control, caching for clients | Squid, corporate firewalls, VPN |
| Reverse Proxy | Servers | Load balancing, SSL termination, caching, compression | Nginx, HAProxy, Envoy, Traefik |
| API Gateway | API servers | Auth, rate limiting, request transformation, analytics | Kong, AWS API Gateway, Apigee |
| Service Mesh Sidecar | Each microservice | mTLS, retries, circuit breaking, observability | Envoy (Istio), Linkerd |
Service Mesh Deep Dive
A service mesh is a dedicated infrastructure layer for handling service-to-service communication. Each service gets a sidecar proxy (Envoy) that handles all network traffic โ encryption, retries, circuit breaking, load balancing, observability.
Think of it as moving network logic out of application code into infrastructure.
Data Plane: Envoy proxies deployed as sidecars alongside every service pod. Handle all inbound/outbound traffic.
Control Plane: istiod manages configuration, certificate rotation, and service discovery. Pushes routing rules to all Envoy proxies.
Use when: you have 20+ microservices, need mTLS everywhere, want uniform observability without changing code.
Don't use when: you have <10 services, latency overhead is unacceptable, team doesn't have Kubernetes expertise.
Advantages
- โขReverse proxies add security, caching, and compression
- โขService mesh provides uniform network policies
- โขDecouples networking logic from application code
Disadvantages
- โขEvery proxy hop adds latency
- โขService mesh adds significant operational complexity
- โขDebugging through proxy layers is harder
๐งช Test Your Understanding
Which type of proxy sits in front of backend servers?