Interview › Istio & Service Mesh
What is the difference between L4 and L7 policy enforcement in the mesh?
Istio & Service Mesh · Advanced level
Answer
L4 policy enforcement uses connection-level attributes such as source identity, destination port, IP, and TCP protocol. L7 policy enforcement understands application protocol metadata such as HTTP method, path, headers, host, gRPC service, and JWT claims.
Technical explanation
L4 policy is generally cheaper and works for opaque TCP protocols.
L7 policy is more expressive but requires protocol awareness and, in ambient mode, usually waypoint proxies for L7 decisions.
Use L4 for broad segmentation and L7 for application-level least privilege.
Hands-on example
Example:
L4: frontend service account can connect to orders on port 8080.
L7: frontend can GET /orders and POST /orders, but cannot DELETE /orders.
Policy design starts with L4 deny-by-default, then adds L7 controls for critical APIs.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Istio & Service Mesh interview questions
- What is Istio, and what are the core capabilities it provides?
- What is the difference between the Istio control plane and data plane?
- What is istiod, and what does it do?
- What is Envoy, and what role does it play in Istio?
- What is the sidecar pattern, and how does Istio inject the proxy?
- How does automatic sidecar injection work (namespace label, webhook)?
- What is the Istio ambient (sidecarless) mode, and how does it differ from sidecar mode?
- What is the difference between ztunnel and a waypoint proxy in ambient mode?