Why Cilium and Istio Are Better Together in EKS

Why I Still Run Istio on Top of Cilium in EKS

After migrating from AWS VPC CNI to Cilium, I often get asked: “If Cilium has its own service mesh, why are you still running Istio?” The answer lies in the complementary strengths of these two technologies at different layers of the stack.

Different Layers, Different Strengths

Cilium excels at the kernel level, providing eBPF-powered networking, observability, and security. It enforces L3/L4/L7 network policies directly in the kernel, offering robust zero-trust networking guardrails.

Istio, on the other hand, operates at the application layer, delivering mature traffic management capabilities. It enables fine-grained routing, retries, canary deployments, and authentication – features that are battle-tested and production-ready.

Traffic Control Superpowers

Istio’s traffic management is a key reason I continue using it. It allows me to:

• Route requests based on headers, user identity, or traffic percentage
• Safely execute canary and blue/green deployments
• Enforce end-to-end mTLS across services

While Cilium’s service mesh is promising, Istio’s traffic shaping remains more mature and reliable for critical production environments.

Security & Authentication

The combination of Istio and Cilium creates a multi-layered security posture:

• Istio handles OIDC & JWT-based authentication with Keycloak/OAuth2-Proxy
• Cilium enforces network policies at the kernel level

This zero-trust-in-depth approach ensures both authentication and network-level security controls are in place.

Observability

Together, Cilium and Istio provide a 360° view of infrastructure and application traffic:

• Cilium’s Hubble offers real-time network flow visibility, dependencies, and packet-level insights
• Istio Telemetry provides service-level metrics, request latencies, and error rates

The Power of Combination

By running Istio on top of Cilium, I get the best of both worlds:

• High-performance eBPF networking from Cilium
• Mature traffic management and security from Istio

Conclusion

In my EKS architecture, Cilium and Istio are not competitors but complementary technologies. Cilium owns the kernel/network layer, while Istio owns the application/service layer. For modern service mesh implementations, consider this combination for scalability, security, and observability across all layers.

Tags: #cilium #istio #kubernetes #eks #servicemesh #cloudsecurity