envoyproxy · shawnh2 · May 10, 2025 · May 6, 2025 · May 8, 2025 · May 8, 2025
@@ -16,6 +16,7 @@ A Backend resource can be used to:
 - Expose a Service or Pod that should not be accessible
 - Reference a Service or Pod by a Route without appropriate Reference Grants
 - Expose the Envoy Proxy localhost (including the Envoy admin endpoint)
+- When configured as the `DynamicResolver` type, it can route traffic to any destination, effectively exposing all potential endpoints to clients. This can introduce security risks if not properly managed.
 
 For these reasons, the Backend API is disabled by default in Envoy Gateway configuration. Envoy Gateway admins are advised to follow [upstream recommendations][] and restrict access to the Backend API using K8s RBAC.
 
@@ -195,6 +196,103 @@ Send a request and view the response:
 curl -I -HHost:www.example.com http://${GATEWAY_HOST}/headers
 ```
 
+### Dynamic Forward Proxy
+
+Envoy Gateway can be configured as a dynamic forward proxy using the [Backend][] API by setting its type to `DynamicResolver`.
+This allows Envoy Gateway to act as an HTTP proxy without needing prior knowledge of destination hostnames or IP addresses,
+while still maintaining its advanced routing and traffic management capabilities.
+
+Under the hood, Envoy Gateway uses the Envoy [Dynamic Forward Proxy](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_proxy)
+to implement this feature.
+
+In the following example, we will create a `HTTPRoute` that references a `Backend` resource of type `DynamicResolver`.
+This setup allows Envoy Gateway to dynamically resolve the hostname in the request and forward the traffic to the original
+destination of the request.
+
+Note: the TLS configuration in the following example is optional. It's only required if you want to use TLS to connect
+to the backend service. The example uses the system well-known CA certificate to validate the backend service's certificate.
+You can also use a custom CA certificate by specifying the `caCertificate` field in the `tls` section.
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <<EOF | kubectl apply -f -
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: dynamic-forward-proxy
+spec:
+  parentRefs:
+    - name: eg
+  rules:
+    - backendRefs:
+      - group: gateway.envoyproxy.io
+        kind: Backend
+        name: backend-dynamic-resolver
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: backend-dynamic-resolver
+spec:
+  type: DynamicResolver
+  tls:
+    wellKnownCACertificates: System
+EOF
+```
+
+{{% /tab %}}
+{{% tab header="Apply from file" %}}
+Save and apply the following resources to your cluster:
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: dynamic-forward-proxy
+spec:
+  parentRefs:
+    - name: eg
+  rules:
+    - backendRefs:
+      - group: gateway.envoyproxy.io
+        kind: Backend
+        name: backend-dynamic-resolver
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: backend-dynamic-resolver
+spec:
+  type: DynamicResolver
+  tls:
+    wellKnownCACertificates: System
+```
+
+{{% /tab %}}
+{{< /tabpane >}}
+
+Get the Gateway address:
+
+```shell
+export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}')
+```
+
+Send a request to `gateway.envoyproxy.io` and view the response:
+
+```shell
+curl -HHost:gateway.envoyproxy.io http://${GATEWAY_HOST}
+```
+
+You can also send a request to any other domain, and Envoy Gateway will resolve the hostname and route the traffic accordingly:
+
+```shell
+curl -HHost:httpbin.org http://${GATEWAY_HOST}/get
+```
+
 [Backend]: ../../../api/extension_types#backend
 [routing to cluster-external backends]: ./../../tasks/traffic/routing-outside-kubernetes.md
 [BackendObjectReference]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendObjectReference