Thank you. Honestly if I had the right to give you my opinion, I'd just advise you to go back to full custom Go-based proxies regardless of how overwhelming that might sound. Octelium itself still does use Envoy as an ingress for the BeyondCorp mode to route to the intended Service based on the FQDN, however, Envoy as great as it is for ingress and HTTP-based service mesh purposes especially when it comes to memory/CPU usage under huge load conditions, it really shows weakness when it comes to building generic multi L7-protocol aware (e.g. HTTP, SSH, Postgres, MySQL, RDP, etc...) IaPs where you need to understand L7 for each of these protocols to provide access control, modifications to the protocol specific messages and providing L7 aware visibility. The amount of work you need to do in ext_proc, ext_authz, proxy-wasm, etc... is just ridiculous and error prone due to the extra round trips yet it is equivalent to what you could have done if you owned the entire data plane yourself.