A COMPARATIVE ANALYSIS OF SERVICE MESH PROXY ARCHITECTURES: FROM SIDECARS TO AMBIENT AND PROXYLESS MODELS IN CLOUD-NATIVE ENVIRONMENTS
Keywords:
Service Mesh, Cloud-Native, Microservices, Sidecar ProxyAbstract
Purpose: The proliferation of cloud-native, microservices-based applications has established the service mesh as a critical infrastructure component for managing security, observability, and traffic. However, the foundational "sidecar" proxy model, while functionally rich, introduces significant performance overhead and operational complexity. This paper provides a critical, comparative analysis of the evolving service mesh data plane proxy architectures.
Methodology: This research employs a systematic review and qualitative comparative analysis of four distinct proxy models: (1) the traditional per-pod sidecar, (2) the application-embedded proxyless model, (3) the kernel-native eBPF-based model, and (4) the emerging disaggregated hybrid model, exemplified by Ambient Mesh. The analysis evaluates these models against key metrics: resource consumption, latency, security isolation, and operational transparency.
Findings: The analysis reveals a fundamental shift away from the "one-size-fits-all" sidecar. Proxyless models offer superior performance at the cost of application coupling. eBPF-based models provide kernel-native speed but face challenges in complex L7 policy enforcement. The disaggregated Ambient Mesh model, splitting L4 and L7 responsibilities, emerges as a compelling synthesis, aiming to reduce overhead significantly while retaining on-demand L7 capabilities.
Implications: A critical trade-off exists between the granular security isolation of the sidecar and the node-level security boundary of new models. This "blast radius" shift has profound implications for DevSecOps practices and the implementation of Zero Trust architectures. The findings suggest the future of the service mesh data plane is disaggregated, hybrid, and increasingly eBPF-native.
References
Wikipedia (2024) OSI Model. Available at https://en.wikipedia.org/wiki/OSI_model
Chandramouli R, Butcher Z (2020) Building Secure Microservices-based Applications Using Service-Mesh Architecture. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-204A. https://doi.org/10.6028/NIST.SP.800-204A
Chandramouli R, Butcher Z, Aradhna C (2021) Attribute-based Access Control for Microservices-based Applications using a Service Mesh. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-204B. https://doi.org/10.6028/NIST.SP.800-204B
Chandramouli R (2022) Implementation of DevSecOps for a Microservices-based Application with Service Mesh. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-204C. https://doi.org/10.6028/NIST.SP.800-204C
Chandramouli R, Butcher Z (2023) A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-207A. https://doi.org/10.6028/NIST.SP.800-207A
Zero-Trust Architecture in Java Microservices. (2025). International Journal of Networks and Security, 5(01), 202-214. https://doi.org/10.55640/ijns-05-01-12
Jackson E, Kohavi Y, Pettit J, Posta C (2022) Ambient Mesh Security Deep Dive. (Istio) Available at https://istio.io/latest/blog/2022/ambient-security/
Howard J, Jackson EJ, Kohavi Y, Levine I, Pettit J, Sun L (2022) Introducing Ambient Mesh. (Istio) Available at https://istio.io/latest/blog/2022/introducing-ambient-mesh/#what-about-security
Turner M (2022) eBPF and Sidecars - Getting the Most Performance and Resiliency out of the Service Mesh. (Tetrate) Available at https://tetrate.io/blog/ebpf-and-sidecars-getting-the-most-performance-and-resiliency-out-of-the-service-mesh/
Graf T (2021) How eBPF will solve Service Mesh - Goodbye Sidecars. (Isovalent) Available at https://isovalent.com/blog/post/2021-12-08-ebpf-servicemesh/
Chandra Jha, A. (2025). VXLAN/BGP EVPN for Trading: Multicast Scaling Challenges for Trading Colocations. International Journal of Computational and Experimental Science and Engineering, 11(3). https://doi.org/10.22399/ijcesen.3478
Song J (2022) Transparent Traffic Intercepting and Routing in the L4 Network of Istio Ambient Mesh. (Tetrate) Available at https://tetrate.io/blog/transparent-traffic-intercepting-and-routing-in-the-l4-network-of-istio-ambient-mesh/
Song J (2022) L7 Traffic Path in Ambient Mesh. (Tetrate) Available at https://tetrate.io/blog/l7-traffic-path-in-ambient-mesh/
Cilium (2024) Threat Model — Cilium 1.15.6 documentation. (Cilium) Available at https://docs.cilium.io/en/stable/security/threat-model/
Istio (2024) Ambient mode overview: ztunnel. Available at https://istio.io/latest/docs/ambient/overview/#ztunnel
Landow S (2021) gRPC Proxyless Service Mesh. (Istio) Available at [suspicious link removed]
Butcher Z (2024) Ambient Mesh: What you need to know about this experimental new deployment model for Istio Available at https://tetrate.io/blog/ambient-mesh-what-you-need-to-know-about-this-experimental-new-deployment-model-for-istio/
Spring (2024) Spring Framework Available at https://spring.io/projects/spring-framework
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Felicia S. Lee (Author)
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors retain the copyright of their manuscripts, and all Open Access articles are disseminated under the terms of the Creative Commons Attribution License 4.0 (CC-BY), which licenses unrestricted use, distribution, and reproduction in any medium, provided that the original work is appropriately cited. The use of general descriptive names, trade names, trademarks, and so forth in this publication, even if not specifically identified, does not imply that these names are not protected by the relevant laws and regulations.