Sidecar - KodeKloud

Before we learn what Istio is, it helps to understand the sidecar pattern. Think back to learning how to ride a bicycle: you struggle to keep balance and might fall. A motorcycle sidecar—popular in the mid-20th century—attaches to the vehicle to provide stability and carry an extra passenger who can help with navigation or watch for traffic. In software, a sidecar runs alongside your application and offloads supporting responsibilities so the primary application can focus on its core functionality. A sidecar typically handles tasks like monitoring traffic, managing communications on behalf of the application, and providing auxiliary features (security, routing, observability). In short: it absorbs cross-cutting concerns, organizes and navigates network traffic, and communicates with other services so the application itself doesn’t need to.

A presentation slide titled "Role of a Sidecar" showing four numbered, colored boxes with brief descriptions: it handles extra tasks, organizes insurance and license info, enhances safety with collision alerts and navigation, and communicates with others. The layout uses gradient number icons on the left and rounded text boxes on the right.

Service meshes rely on sidecar proxies to manage traffic between services. Popular proxy implementations include:

Proxy / Mesh	Typical Use	Notes / Example
Envoy Proxy	Default sidecar proxy for many service meshes	Used (in an extended form) by Istio
Linkerd2 proxy	Lightweight proxy used by Linkerd	Focuses on simplicity and low overhead
Traefik Proxy	Used by Traefik Mesh and ingress scenarios	Good for HTTP routing and modern edge scenarios
HAProxy	General-purpose proxy/load balancer	Can be used in custom setups (e.g., with `HashiCorp Consul`)

A slide titled "Options" showing four service/proxy logos: Envoy, Traefik, Linkerd, and HAProxy.

Envoy is an open-source, high-performance proxy originally developed at Lyft and later adopted by the Cloud Native Computing Foundation (CNCF). It behaves like a modern, dynamic load balancer with rich observability features, making it ideal for cloud-native microservices architectures. Note that the terms “proxy” and “sidecar” are often used interchangeably — both refer to the component that runs alongside your application to manage network traffic.

“Sidecar injection” is the process of automatically adding a proxy (for example, an Envoy sidecar) to a workload so it runs alongside the application container.

How does a sidecar proxy operate in practice? Think of Envoy as a traffic controller for your services. In a distributed system with many services, Envoy intercepts inbound and outbound traffic for each workload (typically as a separate container in the same Kubernetes Pod), ensuring requests are routed securely and efficiently to their destinations.

A schematic diagram of a Kubernetes "Service Mesh" titled "Middleman." It shows three nodes, each running an app and its service with Envoy sidecar proxies interconnected to form the mesh.

As the middleman, Envoy provides many important features:

Traffic routing and intelligent load balancing across service instances.
TLS / mTLS termination and encryption when configured (typically via a control plane such as Istio).
Observability: metrics, logs, and distributed tracing hooks to monitor request rates, latencies, and errors.
Reliability features: retries, circuit breaking, rate limiting, and traffic mirroring.
Advanced traffic control: header-based routing, fault injection, and traffic shifting.

Why include Envoy (or another sidecar proxy) in your service mesh?

Simplified communication: a consistent network layer so application code doesn’t implement complex networking logic.
Security: service-to-service encryption and identity (for example, mTLS).
Performance and observability: centralized metrics and tracing points for all service-to-service traffic.
Reliability and control: circuit breakers, rate limits, and retries improve resilience and operational control.

A presentation slide titled "Why Use Envoy Proxy?" showing three benefits—Simplified Communication, Security, and Performance—each with an icon and a brief explanation of how Envoy improves app communication, secures data, and tracks application health.

You can install Envoy directly on Linux, macOS, or deploy it in Kubernetes (for example, via Helm charts bundled with many service-mesh installations). Managing many Envoy instances manually across a cluster is operationally expensive, which is why control planes such as Istio exist — they handle injection, configuration, certificate rotation, and policy distribution at scale. Example installation commands (Debian/Ubuntu and macOS):

# Linux (Debian/Ubuntu)
sudo mkdir -p /etc/apt/keyrings
wget -O- https://apt.envoyproxy.io/signing.key | sudo gpg --dearmor -o /etc/apt/keyrings/envoy-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/envoy-keyring.gpg] https://apt.envoyproxy.io/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/envoy.list
sudo apt-get update
sudo apt-get install -y envoy
envoy --version

# macOS (Homebrew)
brew update
brew install envoy

Managing individual proxies for every workload can become complex. Service meshes provide a control plane to inject, configure, and manage Envoy sidecars across a cluster, reducing operational overhead and standardizing security, routing, and observability. Links and references

Documentation Index

Watch Video