This guide will help you get started using HTTP3 using EG. The guide uses a self-signed CA, so it should be used for testing and demonstration purposes only.


  • OpenSSL to generate TLS assets.


Follow the steps from the Quickstart Guide to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP.

TLS Certificates

Generate the certificates and keys used by the Gateway to terminate client TLS connections.

Create a root certificate and private key to sign certificates:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./' -keyout -out

Create a certificate and a private key for

openssl req -out -newkey rsa:2048 -nodes -keyout -subj "/ organization"
openssl x509 -req -days 365 -CA -CAkey -set_serial 0 -in -out

Store the cert/key in a Secret:

kubectl create secret tls example-cert

Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port 443 and references the example-cert Secret:

kubectl patch gateway eg --type=json --patch '[{
   "op": "add",
   "path": "/spec/listeners/-",
   "value": {
      "name": "https",
      "protocol": "HTTPS",
      "port": 443,
      "tls": {
        "mode": "Terminate",
        "certificateRefs": [{
          "kind": "Secret",
          "group": "",
          "name": "example-cert",

Apply the following ClientTrafficPolicy to enable HTTP3

kubectl apply -f - <<EOF
kind: ClientTrafficPolicy
  name: enable-http3
  http3: {}
    kind: Gateway
    name: eg
    namespace: default

Verify the Gateway status:

kubectl get gateway/eg -o yaml


Clusters without External LoadBalancer Support

It is not possible at the moment to port-forward UDP protocol in kubernetes service check out Hence we need external loadbalancer to test this feature out.

Clusters with External LoadBalancer Support

Get the External IP of the Gateway:

export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}')

Query the example app through the Gateway:

Below example uses a custom docker image with custom curl binary with built-in http3.

docker run --net=host --rm curl -kv --http3 --resolve "${GATEWAY_HOST}"