Posting the solution I ended up going with.
I setup Consul to work as a discovery service. Basically a Consul sidecar would run alongside every cluster/webservice I have. When the webservice comes online, it would register itself with the Consul server. This way, only the Consul server name would need to be known.
Once a service is registered, you can either query Consul to get the IP for the webservice, or directly access it in the form of <webservice_name>.service.consul
The only change I had to make to the Envoy config was to point at the Consul server IP for DNS resolution (see below).
clusters: - name: ms_auth connect_timeout: 0.25s type: strict_dns lb_policy: round_robin hosts: - socket_address: address: ms-auth.service.consul port_value: 80 dns_resolvers: - socket_address: address: {DNS_RESOLVER_IP} port_value: 8600 - name: ms_logging connect_timeout: 0.25s type: strict_dns lb_policy: round_robin hosts: - socket_address: address: ms-logging.service.consul port_value: 80 dns_resolvers: - socket_address: address: {DNS_RESOLVER_IP} port_value: 8600