Interview › Istio & Service Mesh
What is Envoy, and what role does it play in Istio?
Istio & Service Mesh · Basic level
Answer
Envoy is the high-performance proxy Istio uses to enforce mesh behavior. In sidecar mode, each workload pod gets an Envoy proxy; at the edge, ingress and egress gateways are Envoy proxies; in ambient mode, waypoint proxies use Envoy for L7 features.
Technical explanation
Envoy can terminate and originate mTLS, route HTTP/gRPC/TCP traffic, collect metrics, enforce policies, and perform retries or circuit breaking.
Istio programs Envoy dynamically using xDS, so operators manage intent through Istio resources rather than hand-writing Envoy config.
For troubleshooting, Envoy is often the best source of truth because it shows the actual listeners, clusters, routes, and endpoints in use.
Hands-on example
Inspect Envoy for a pod:
$ istioctl proxy-config listener deploy/productpage -n app
$ istioctl proxy-config route deploy/productpage -n app
$ istioctl proxy-config cluster deploy/productpage -n app | grep reviews
If a route is missing here, the problem is mesh config distribution, not the application binary.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?
- What problem does Istio solve that Kubernetes Services alone do not?