Grow your solution architecture skills.

The Ambassador Pattern
June 25, 2025
7 min read

The Ambassador Pattern: Because APIs Have Bad Days Too

A solution architect at a mid-sized fintech startup was wrapping up a Friday afternoon design review when an alert came in. The customer onboarding API was intermittently failing. Not enough to trigger a full incident, but enough to raise eyebrows in the compliance team. At the root of the problem? A background verification callout to a third-party KYC (Know Your Customer) service. When that service hiccupped, the onboarding flow stalled. And because it was a synchronous call in a tightly coupled microservice, retries weren’t consistent. Worse, the core service logs showed nothing. The failures were silent.

The solution architect knew this was a classic case of an external dependency sneaking reliability risk into a clean architecture. There was no need to redesign the onboarding logic. There was a need for a buffer. A way to wrap that call, manage failures gracefully, and regain visibility. That’s when the Ambassador pattern was implemented.

Understanding the Ambassador Pattern

The Ambassador pattern introduces a dedicated helper component, deployed alongside your application, that handles outbound calls to external services. It acts as a proxy, abstracting away several complexities such as managing connections, handling retry policies, negotiating TLS, performing authentication, and logging outbound requests.

Ambassador

Think of it as a diplomatic envoy, one that ensures your application doesn't have to deal directly with the temperamental nature of external APIs. In a world of distributed cloud systems, where "failures are inevitable" has become more of a mantra than a warning, the Ambassador pattern offers a practical, lightweight mechanism to isolate and absorb that volatility.

Why External Calls Deserve Extra Attention

Modern applications rarely operate in isolation. Whether it’s enriching customer data through a third-party API, fetching secrets from a centralized vault, or verifying identities through an external service, most systems rely on components outside their direct control. And while these dependencies unlock functionality and speed, they also introduce uncertainty. That’s why solution architects must treat external calls as first-class design concerns.

You Don’t Own It, But You’ll Own the Failure

As a solution architect, you may not manage the third-party service your application depends on, but when that service is slow or unavailable, your system is the one that appears broken. Customers won’t distinguish between your platform and a delayed KYC verification call, they’ll just see failure. External systems bring along their own failure modes, timeouts, rate limits, and occasional outages. If those aren’t handled explicitly in your design, your service inherits their instability.

What the Ambassador Pattern Enables

The Ambassador pattern offers a smart, lightweight way to guard your application against these issues. By inserting a proxy between your core service and the external system, it becomes possible to enforce resiliency policies like retries, timeouts, and circuit breaking without polluting your business logic. You also gain centralized control over authentication, TLS configuration, and detailed request logging. With the Ambassador handling the unpredictability of the outside world, your application becomes more stable, maintainable, and observable.

When the Pattern Really Shines

This pattern is especially useful in cloud-native environments, where services often communicate with both internal and external APIs via HTTP or gRPC. Whether you’re working with third-party integrations, internal platform services owned by other teams, or legacy backends that weren’t designed with reliability in mind, the Ambassador pattern gives you a modular way to wrap those calls in safety. It’s particularly effective in Kubernetes, where sidecars can be deployed seamlessly alongside application containers.

Using Envoy as an Outbound Proxy Sidecar

Let’s walk through a practical implementation using Envoy Proxy as an ambassador in a locally simulated microservice environment. In this example, a service needs to call a third-party KYC API. Rather than implementing retry logic, TLS handling, or observability directly in the application code, we’ll use Envoy as a sidecar proxy to intercept and manage outbound traffic. This lets the app focus purely on business logic while Envoy handles the reliability and security aspects of external communication.. Instead of letting the application code handle retries and timeouts, you deploy Envoy as a sidecar proxy to handle these concerns externally.

1. Define an Envoy configuration

Start by defining the Envoy configuration file that sets up a listener, routes requests, and applies retry logic. This config is responsible for ensuring your service can interact with external APIs reliably and securely.

envoy.yaml

static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 10000
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: backend
                      domains: ["*"]
                      routes:
                        - match: { prefix: "/" }
                          route:
                            cluster: httpbin
                            timeout: 1s
                            retry_policy:
                              retry_on: 5xx
                              num_retries: 3
                http_filters:
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

  clusters:
    - name: httpbin
      connect_timeout: 1s
      type: LOGICAL_DNS
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: httpbin
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: httpbin
                      port_value: 80
2. Deploy as a sidecar container using Docker Compose

Next, simulate the ambassador pattern locally using Docker Compose. This setup includes Envoy as a sidecar proxy and httpbin as a mock external API. Envoy listens on port 10000, reads its configuration from envoy.yaml, and forwards outbound traffic accordingly.

docker-compose.yaml

containers:
  - name: onboarding-service
    image: yourregistry/onboarding-service:latest
    ports:
      - containerPort: 8080

  - name: envoy
    image: envoyproxy/envoy:v1.29-latest
    args:
      - "-c"
      - "/etc/envoy/envoy.yaml"
    volumeMounts:
      - name: envoy-config
        mountPath: /etc/envoy

volumes:
  - name: envoy-config
    configMap:
      name: envoy-config

This approach ensures that failures in the external service are absorbed and managed by the sidecar, keeping your core logic clean and resilient.

3. Test It Locally

Start your containers with the following command:

docker-compose up

Now that the services are running, it's time to validate that Envoy is correctly acting as a resilient proxy. You'll test both a simulated failure and a successful response by sending HTTP requests to the exposed Envoy listener at localhost:10000.

Simulating a Failure:

curl -i http://localhost:10000/status/500

This command triggers a known 500 error using the httpbin service. Envoy intercepts the response and, according to the retry policy in envoy.yaml, retries the request up to three times before ultimately returning the final 500 response to the client. This test demonstrates how the Ambassador pattern absorbs transient failures without involving application logic.

Simulating a Success:

curl -i http://localhost:10000/get

This is a normal, successful request. Envoy forwards it to httpbin, receives a 200 OK, and returns it to the client. Since there is no failure, no retries are triggered. This confirms that Envoy correctly handles stable upstream responses without unnecessary interference.

These simple tests prove that your ambassador proxy is properly intercepting, retrying, and stabilizing outbound requests, exactly the kind of reliability boost that the pattern is designed to provide.

Design for the Worst Day, Not the Best

Systems that assume everything works fine in production are systems that will break. The Ambassador pattern helps you anticipate failure and design defensively, without bloating your application code. It creates a buffer between your clean service logic and the chaotic reality of external dependencies.

Use the Ambassador pattern to isolate outbound API calls behind a resilient proxy:

  • Deploy as a sidecar (e.g., Envoy or NGINX) in Kubernetes for easy scaling.
  • Enforce retry policies, TLS, auth, and logging without changing app code.
  • Perfect for critical third-party integrations where you need control but lack ownership.
Grow your solution architecture skills

Architect View Master Monthly

    © 2025.All rights reserved by Oscar van der Leij.