Sidecar per pod

Every application pod has an Envoy sidecar. App talks to localhost:port; sidecar handles TLS, retries, routing.

Advertisement

Sidecar per pod

Every application pod has an Envoy sidecar. App talks to localhost:port; sidecar handles TLS, retries, routing.

Advertisement

Control plane

Istio Pilot or Linkerd's control plane pushes config to sidecars via xDS (dynamic configuration API).

What sidecar handles

  • mTLS between services (auto-cert-rotation)
  • Retries + timeouts (config-driven)
  • Circuit breakers
  • Distributed tracing
  • Metrics collection

What sidecar costs

Extra hop adds ~1-3ms latency. Memory footprint per pod (50-200MB per Envoy). Config complexity is real.

When to skip mesh

Small services (<10). Latency-critical paths. Small ops team. Direct HTTP works fine for most.