Interview › Istio & Service Mesh
How would you implement rate limiting in Istio (local and global)?
Istio & Service Mesh · Advanced level
Answer
Istio rate limiting can be local or global. Local rate limiting is enforced independently by each proxy and is good for simple per-pod protection. Global rate limiting uses an external rate-limit service so limits can be shared across replicas and gateways.
Technical explanation
Local limits are simpler and avoid an external dependency, but each proxy has its own counter.
Global limits are better for tenant-level, API-key, or user-level quotas across multiple gateway replicas.
Rate limits should be paired with clear response codes, dashboards, and exemption processes.
Hands-on example
Implementation example:
Local: EnvoyFilter or Telemetry/filter configuration for token bucket at ingress.
Global: ingress gateway -> Envoy external rate limit filter -> rate-limit service backed by Redis.
Test:
$ hey -n 1000 -c 50 https://api.example.com/orders
Expect 429 when configured thresholds are exceeded.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?