Interview › Istio & Service Mesh
What is the difference between an Istio ingress gateway and an egress gateway?
Istio & Service Mesh · Basic level
Answer
An ingress gateway controls traffic entering the mesh from outside, while an egress gateway controls traffic leaving the mesh to external services. Ingress is about exposing internal services safely; egress is about centralizing and auditing outbound access.
Technical explanation
Ingress gateway concerns include TLS termination, WAF/load-balancer integration, host routing, and external client authentication.
Egress gateway concerns include restricting destinations, consistent TLS origination, network allowlisting, and audit logs for outbound calls.
Both are data-plane proxies, but their security boundaries and operational runbooks are different.
Hands-on example
Egress use case:
Only the istio-egressgateway has firewall access to api.partner.com.
Workloads call the external host through ServiceEntry and VirtualService.
Network teams allow outbound internet only from the egress gateway nodes or security group, giving a single audited path.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?