Kernel-level eBPF should beat user-space proxies—but Istio Ambient delivers 8% mTLS overhead while Cilium shows 99%. Academic benchmarks reveal why architecture boundaries matter more than execution location, and what that means for your service mesh choice in 2025.
In this episode:
- Istio Ambient (user-space) achieves 8% mTLS overhead vs Cilium (kernel eBPF) at 99%—counterintuitive result explained by L7 processing boundaries requiring kernel/user-space transitions
- 50,000-pod stability test shows Cilium's distributed control plane crashed API server under churn while Istio's centralized control handled it—20% per-core efficiency, 56% total throughput advantage
- Decision framework: Ambient for 1,000+ nodes with mixed L4/L7 traffic (saves $186K/year on 2,000-pod cluster), Cilium for <500 nodes pure L4, sidecars for multi-cluster compliance
Perfect for senior platform engineers, sres, devops engineers with 5+ years experience looking to level up their platform engineering skills.
Episode URL: https://platformengineeringplaybook.com/podcasts/00033-service-mesh-showdown-cilium-istio-ambient
