Featured image of post Envoy vs Istio vs Linkerd
Kubernetes Networking Service Mesh Cloud DevOps

Envoy vs Istio vs Linkerd

Notes and Comparison to help pick which is best for what

1. What Are Envoy, Istio, and Linkerd?

1.1 Envoy

Envoy is a high-performance proxy designed for cloud-native applications.

  • πŸš€ Originally built by Lyft
  • πŸ”₯ Used in Istio, Consul, and AWS App Mesh
  • πŸ“Š Focuses on Layer 4 (TCP) and Layer 7 (HTTP) traffic
  • πŸ”Œ Highly extensible with filters and APIs

1.2 Istio

Istio is a full-fledged service mesh that uses Envoy as a data plane.

  • πŸ” Advanced security (mTLS, RBAC, JWT validation)
  • πŸ“ˆ Traffic control, observability, and tracing
  • πŸ”„ Best for large-scale microservices

1.3 Linkerd

Linkerd is a lightweight service mesh built for simplicity and speed.

  • ⚑ Lightweight compared to Istio
  • πŸ”§ Easier to deploy and manage
  • πŸ“‰ Lower resource consumption

Now, let’s compare them in detail.

2. Envoy vs Istio vs Linkerd: Feature Comparison

FeatureEnvoyIstioLinkerd
TypeProxyService MeshService Mesh
ComplexityMediumHighLow
SecurityLimitedStrong (mTLS, RBAC)Basic (mTLS)
PerformanceHighModerateHigh
ObservabilityBasicAdvancedBasic
Use CaseEdge proxy, API gatewayFull service meshLightweight service mesh

3. Deploying Envoy in Kubernetes

Envoy can be deployed as a standalone proxy.

Step 1: Create an Envoy ConfigMap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

apiVersion: v1
kind: ConfigMap
metadata:
  name: envoy-config
data:
  envoy.yaml: |
    static_resources:
      listeners:
      - name: listener_0
        address:
          socket_address: { address: 0.0.0.0, port_value: 8080 }
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              codec_type: AUTO
              route_config:
                name: local_route
                virtual_hosts:
                - name: backend
                  domains: ["*"]
                  routes:
                  - match: { prefix: "/" }
                    route: { cluster: backend }
              http_filters:
              - name: envoy.filters.http.router
      clusters:
      - name: backend
        connect_timeout: 1s
        type: STRICT_DNS
        lb_policy: ROUND_ROBIN
        load_assignment:
          cluster_name: backend
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address: { address: backend-service, port_value: 80 }

Step 2: Deploy Envoy as a Pod

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

apiVersion: apps/v1
kind: Deployment
metadata:
  name: envoy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: envoy
  template:
    metadata:
      labels:
        app: envoy
    spec:
      containers:
      - name: envoy
        image: envoyproxy/envoy:v1.22.0
        volumeMounts:
        - name: config-volume
          mountPath: /etc/envoy/envoy.yaml
          subPath: envoy.yaml
      volumes:
      - name: config-volume
        configMap:
          name: envoy-config

Apply everything:

1
2

kubectl apply -f envoy-config.yaml
kubectl apply -f envoy-deployment.yaml

4. Deploying Istio in Kubernetes

Step 1: Install Istio CLI

1
2
3

curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH

Step 2: Install Istio in Kubernetes

1

istioctl install --set profile=demo -y

Step 3: Enable Istio Injection

1

kubectl label namespace default istio-injection=enabled

Step 4: Deploy a Sample App with Istio

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: my-app-image:latest

Apply it:

1

kubectl apply -f my-app.yaml

Check if Istio injected a sidecar:

1

kubectl get pods -o wide

5. Deploying Linkerd in Kubernetes

Step 1: Install Linkerd CLI

1
2

curl -sL run.linkerd.io/install | sh
export PATH=$HOME/.linkerd2/bin:$PATH

Step 2: Install Linkerd in Kubernetes

1

linkerd install | kubectl apply -f -

Step 3: Inject Linkerd into Your App

1

kubectl get deploy -o yaml | linkerd inject - | kubectl apply -f -

Step 4: Verify Installation

1

linkerd check

You’re now running Linkerd in Kubernetes! πŸŽ‰

6. Which One Should You Choose?

Use CaseBest Choice
You need a standalone proxyEnvoy
You need KOOL advanced service mesh featuresIstio
You want a lightweight, simple service meshLinkerd

Final Thoughts

Choosing between Envoy, Istio, and Linkerd depends on your needs.

Key Takeaways

βœ… Use Envoy as a high-performance proxy.
βœ… Use Istio for advanced service mesh security and traffic control.
βœ… Use Linkerd for a lightweight, simple service mesh.

© 2001 - 2025 Brian Braatz Blog