eISSN: 3087-4289 editor@aimjournals.com
All Journals
Submit your article

International Journal of Modern Computer Science and IT Innovations

Open Access Peer Review International
Open Access

A COMPARATIVE ANALYSIS OF SERVICE MESH PROXY ARCHITECTURES: FROM SIDECARS TO AMBIENT AND PROXYLESS MODELS IN CLOUD-NATIVE ENVIRONMENTS

DOI
pdf
Felicia S. Lee 1 ,
4 Department of Computer Science, National University of Singapore, Singapore

Abstract

Purpose: The proliferation of cloud-native, microservices-based applications has established the service mesh as a critical infrastructure component for managing security, observability, and traffic. However, the foundational "sidecar" proxy model, while functionally rich, introduces significant performance overhead and operational complexity. This paper provides a critical, comparative analysis of the evolving service mesh data plane proxy architectures.

Methodology: This research employs a systematic review and qualitative comparative analysis of four distinct proxy models: (1) the traditional per-pod sidecar, (2) the application-embedded proxyless model, (3) the kernel-native eBPF-based model, and (4) the emerging disaggregated hybrid model, exemplified by Ambient Mesh. The analysis evaluates these models against key metrics: resource consumption, latency, security isolation, and operational transparency.

Findings: The analysis reveals a fundamental shift away from the "one-size-fits-all" sidecar. Proxyless models offer superior performance at the cost of application coupling. eBPF-based models provide kernel-native speed but face challenges in complex L7 policy enforcement. The disaggregated Ambient Mesh model, splitting L4 and L7 responsibilities, emerges as a compelling synthesis, aiming to reduce overhead significantly while retaining on-demand L7 capabilities.

Implications: A critical trade-off exists between the granular security isolation of the sidecar and the node-level security boundary of new models. This "blast radius" shift has profound implications for DevSecOps practices and the implementation of Zero Trust architectures. The findings suggest the future of the service mesh data plane is disaggregated, hybrid, and increasingly eBPF-native.

Keywords

Service Mesh, Cloud-Native, Microservices, Sidecar Proxy

References

πŸ“„ Wikipedia (2024) OSI Model. Available at https://en.wikipedia.org/wiki/OSI_model
πŸ“„ Chandramouli R, Butcher Z (2020) Building Secure Microservices-based Applications Using Service-Mesh Architecture. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-204A. https://doi.org/10.6028/NIST.SP.800-204A
πŸ“„ Chandramouli R, Butcher Z, Aradhna C (2021) Attribute-based Access Control for Microservices-based Applications using a Service Mesh. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-204B. https://doi.org/10.6028/NIST.SP.800-204B
πŸ“„ Chandramouli R (2022) Implementation of DevSecOps for a Microservices-based Application with Service Mesh. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-204C. https://doi.org/10.6028/NIST.SP.800-204C
πŸ“„ Chandramouli R, Butcher Z (2023) A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) NIST SP 800-207A. https://doi.org/10.6028/NIST.SP.800-207A
πŸ“„ Zero-Trust Architecture in Java Microservices. (2025). International Journal of Networks and Security, 5(01), 202-214. https://doi.org/10.55640/ijns-05-01-12
πŸ“„ Jackson E, Kohavi Y, Pettit J, Posta C (2022) Ambient Mesh Security Deep Dive. (Istio) Available at https://istio.io/latest/blog/2022/ambient-security/
πŸ“„ Howard J, Jackson EJ, Kohavi Y, Levine I, Pettit J, Sun L (2022) Introducing Ambient Mesh. (Istio) Available at https://istio.io/latest/blog/2022/introducing-ambient-mesh/#what-about-security
πŸ“„ Turner M (2022) eBPF and Sidecars - Getting the Most Performance and Resiliency out of the Service Mesh. (Tetrate) Available at https://tetrate.io/blog/ebpf-and-sidecars-getting-the-most-performance-and-resiliency-out-of-the-service-mesh/
πŸ“„ Graf T (2021) How eBPF will solve Service Mesh - Goodbye Sidecars. (Isovalent) Available at https://isovalent.com/blog/post/2021-12-08-ebpf-servicemesh/
πŸ“„ Chandra Jha, A. (2025). VXLAN/BGP EVPN for Trading: Multicast Scaling Challenges for Trading Colocations. International Journal of Computational and Experimental Science and Engineering, 11(3). https://doi.org/10.22399/ijcesen.3478
πŸ“„ Song J (2022) Transparent Traffic Intercepting and Routing in the L4 Network of Istio Ambient Mesh. (Tetrate) Available at https://tetrate.io/blog/transparent-traffic-intercepting-and-routing-in-the-l4-network-of-istio-ambient-mesh/
πŸ“„ Song J (2022) L7 Traffic Path in Ambient Mesh. (Tetrate) Available at https://tetrate.io/blog/l7-traffic-path-in-ambient-mesh/
πŸ“„ Cilium (2024) Threat Model β€” Cilium 1.15.6 documentation. (Cilium) Available at https://docs.cilium.io/en/stable/security/threat-model/
πŸ“„ Istio (2024) Ambient mode overview: ztunnel. Available at https://istio.io/latest/docs/ambient/overview/#ztunnel
πŸ“„ Landow S (2021) gRPC Proxyless Service Mesh. (Istio) Available at [suspicious link removed]
πŸ“„ Butcher Z (2024) Ambient Mesh: What you need to know about this experimental new deployment model for Istio Available at https://tetrate.io/blog/ambient-mesh-what-you-need-to-know-about-this-experimental-new-deployment-model-for-istio/
πŸ“„ Spring (2024) Spring Framework Available at https://spring.io/projects/spring-framework