Integration of WAF with Envoy Gateway

[manikantas45]

Hi Envoy Community,

I’m exploring options for enabling a Web Application Firewall (WAF) at the Envoy Gateway or Envoy proxy level in the open-source ecosystem (without relying on proprietary/enterprise-only distributions). Before embarking on custom solutions, I wanted to gather community insights:

Current status of open-source WAF support in plain Envoy/Envoy Gateway:

I know Tetrate Enterprise Gateway (TEG) includes a Coraza-based WAF integration that attaches a WAF filter via ExtendedSecurityPolicy and custom Envoy images.

However, this currently appears tied to the enterprise distribution rather than core upstream Gateway.

Is there upstream work or proposals to bring WAF support (e.g., Coraza or other OSS WAFs) as a first-class feature in Envoy Gateway?

Has the GitHub repo received RFCs, design docs, or roadmap discussions about WAF integration?

Are there community preferences (e.g., WASM modules, filters, ext_authz integrations) for this?

Alternative OSS approaches for WAF with Envoy/Envoy Gateway

For example, integration with open-appsec as a sidecar/WAF filter is mentioned as alpha support for Envoy Gateway.

Or using EnvoyFilter / ext_authz to attach an external WAF process (e.g., Coraza, Signal Sciences, Fastly Next-Gen WAF).

Are there best practices or sample configurations for these patterns?

Performance and architectural trade-offs

For gateway-level WAF vs sidecar vs external service, what performance or maintainability issues should we be aware of?

Thanks in advance — any pointers to design proposals, filter examples, or related discussions are highly appreciated!