Service Mesh Comparison — Istio vs Linkerd vs Envoy Gateway
Canonical comparison of service mesh and API gateway solutions for Kubernetes.
Quick Reference
| Dimension |
Istio |
Linkerd |
Envoy Gateway |
| Type |
Full service mesh |
Full service mesh |
API Gateway (north-south) |
| Latest Version |
v1.29 (Apr 2026) |
2026.4.x edge |
v1.7.1 (Mar 2026) |
| Data Plane |
Envoy (sidecar or Ambient) |
linkerd2-proxy (Rust sidecar) |
Envoy (gateway pods) |
| CNCF Status |
Graduated |
Graduated |
Part of Envoy (Graduated) |
| Proxy Language |
C++ (Envoy) |
Rust |
C++ (Envoy) |
| Sidecar-free |
✅ Ambient Mode |
❌ Sidecar only |
N/A (gateway) |
| Resource Overhead |
Low (Ambient) / High (Sidecar) |
Very Low |
Low (no sidecars) |
| License |
Apache 2.0 |
Apache 2.0 |
Apache 2.0 |
Feature Matrix
| Feature |
Istio |
Linkerd |
Envoy Gateway |
| mTLS |
✅ Automatic |
✅ Automatic (post-quantum!) |
✅ (gateway-to-backend) |
| L7 traffic management |
✅ Full (routing, splitting, mirroring) |
✅ Basic (splitting, retries) |
✅ Full (HTTPRoute, GRPCRoute) |
| Circuit breaking |
✅ |
❌ |
✅ |
| Rate limiting |
✅ |
❌ |
✅ |
| Observability |
✅ Kiali, Prometheus, Jaeger |
✅ Built-in golden metrics |
✅ Via Envoy telemetry |
| Gateway API |
✅ |
✅ |
✅ (reference impl) |
| Multi-cluster |
✅ Ambient multicluster (β) |
✅ Service mirroring |
❌ (single cluster) |
| East-west traffic |
✅ |
✅ |
❌ (north-south only) |
| JWT/OIDC auth |
✅ |
❌ |
✅ |
| AI inference routing |
✅ (v1.29 Gateway API Inference) |
❌ |
✅ (Envoy AI Gateway) |
| Wasm extensions |
✅ |
❌ |
✅ |
| Metric |
Istio (Ambient) |
Istio (Sidecar) |
Linkerd |
Envoy Gateway |
| Proxy memory |
~20MB (ztunnel) |
~50MB (Envoy sidecar) |
~10MB (Rust proxy) |
Shared gateway pods |
| Proxy latency (p99) |
~1ms (L4) |
~3ms |
~1ms |
~2ms |
| CPU per proxy |
Minimal (DaemonSet) |
Per-pod overhead |
Minimal |
Gateway only |
Decision Guide
| Scenario |
Recommendation |
| Full mesh (east-west + north-south) |
Istio (Ambient) or Linkerd |
| Simplest mesh, lowest overhead |
Linkerd |
| Maximum features + AI routing |
Istio |
| API Gateway only (no mesh) |
Envoy Gateway |
| Post-quantum security |
Linkerd (ML-KEM-768 default) |
| Budget-conscious small team |
Linkerd (simplest ops) |
| Multi-cluster mesh |
Istio (Ambient multicluster) |
| Gateway API reference implementation |
Envoy Gateway |
Complementary Usage
Istio/Linkerd and Envoy Gateway are not mutually exclusive. A common pattern:
- Envoy Gateway handles north-south (ingress) traffic
- Istio or Linkerd handles east-west (service-to-service) traffic
Sources
- Cross-validated via official docs and KubeCon 2026 announcements (April 2026)