diff --git a/internal/envoy/embed.go b/internal/envoy/embed.go
index abfb8e3c4..88645d87f 100644
--- a/internal/envoy/embed.go
+++ b/internal/envoy/embed.go
@@ -20,6 +20,9 @@ const (
 	embeddedDirectoryPermissions fs.FileMode = 0o755
 )
 
+// OverrideEnvoyPath is an override for using an envoy path instead of the embedded envoy path.
+var OverrideEnvoyPath = ""
+
 var (
 	embeddedFilesBaseDirectory = filepath.Join(os.TempDir(), "pomerium-embedded-files")
 	extractEmbeddedEnvoyOnce   sync.Once
diff --git a/internal/envoy/envoy.go b/internal/envoy/envoy.go
index feab111a8..ae237e899 100644
--- a/internal/envoy/envoy.go
+++ b/internal/envoy/envoy.go
@@ -70,31 +70,28 @@ func NewServer(ctx context.Context, src config.Source, grpcPort, httpPort string
 		return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
 	}
 
-	envoyPath, err := extractEmbeddedEnvoy(ctx)
-	if err != nil {
-		log.Warn(ctx).Err(err).Send()
-		envoyPath = "envoy"
-	}
-
-	fullEnvoyPath, err := exec.LookPath(envoyPath)
-	if err != nil {
-		return nil, fmt.Errorf("no envoy binary found: %w", err)
-	}
-
-	// Checksum is written at build time, if it's not empty we verify the binary
-	if files.Checksum() != "" {
-		bs, err := ioutil.ReadFile(fullEnvoyPath)
+	envoyPath := OverrideEnvoyPath
+	if envoyPath == "" {
+		envoyPath, err = extractEmbeddedEnvoy(ctx)
 		if err != nil {
-			return nil, fmt.Errorf("error reading envoy binary for checksum verification: %w", err)
+			return nil, fmt.Errorf("error extracting embedded envoy binary: %w", err)
 		}
-		h := sha256.New()
-		h.Write(bs)
-		s := hex.EncodeToString(h.Sum(nil))
-		if files.Checksum() != s {
-			return nil, fmt.Errorf("invalid envoy binary, expected %s but got %s", files.Checksum(), s)
+
+		// Checksum is written at build time, if it's not empty we verify the binary
+		if files.Checksum() != "" {
+			bs, err := ioutil.ReadFile(envoyPath)
+			if err != nil {
+				return nil, fmt.Errorf("error reading envoy binary for checksum verification: %w", err)
+			}
+			h := sha256.New()
+			h.Write(bs)
+			s := hex.EncodeToString(h.Sum(nil))
+			if files.Checksum() != s {
+				return nil, fmt.Errorf("invalid envoy binary, expected %s but got %s", files.Checksum(), s)
+			}
+		} else {
+			log.Info(ctx).Msg("no checksum defined, envoy binary will not be verified!")
 		}
-	} else {
-		log.Info(ctx).Msg("no checksum defined, envoy binary will not be verified!")
 	}
 
 	srv := &Server{