Learn more about service mesh fundamentals in The Enterprise Path to Service Mesh Archictures (2nd Edition) - free book and excellent resource which addresses how to evaluate your organization’s readiness, provides factors to consider when building new applications and converting existing applications to best take advantage of a service mesh, and offers insight on deployment architectures used to get you there.

Data Plane

Service proxies (gateways) are elements of the data plane. The number of proxies present depends on the number of services you’re running and the design of the service mesh’s deployment model. Some service mesh initiatives create their own proxies, while others rely on existing ones. Envoy is a popular choice as the data plane element.


BFE is a Golang-based modern proxy. HTTP, HTTPS, SPDY, HTTP2, WebSocket, TLS, and FastCGI are among the load balancing algorithms and multiple protocols it supports. Users can configure rule and content-based routing using BFE's own domain-specific language.


Envoy is a modern proxy developed in C++. Envoy's initial success stemmed from its ability to hot-reload both its configuration and itself (update itself in place while handling connections). API gateways, ingress controllers, service meshes, and managed offerings by Cloud providers are just a few of the projects that have been built on top of Envoy. Istio, App Mesh, Kuma, Open Service Mesh, and other service meshes (discussed in the Control Plane section) have been built on top of Envoy.


The linkerd2-proxy is explicitly built for the service mesh sidecar use case, Linkerd, can be significantly smaller and faster than Envoy-based service meshes. Rust was chosen as the implementation language because it is memory-safe and highly performant. This service proxy purports a sub-1ms p99 traffic latency. Open-source. From Buoyant.


nginMesh project deploys NGINX as a sidecar proxy in Istio. Open source. Written primarily in C and Rust. From NGINX.

The following are a couple of early, and now antiquated, service mesh–like projects, forming control planes around existing load-balancers:


Comprising two components: Nerve for health-checking and Synapse for service discovery. Open source. From AirBnB. Written in Ruby.


Takes advantage of integrations with Envoy, Prometheus, Vault, and Nomad to provide Git-centric, developer-driven deployments with automated build-and-release workflow. Open source. From Verizon Labs. Written in Scala.

Control Plane


Announced service mesh capable intention in v1.5. Became a full service mesh in v1.8. Consul uses Envoy as its dataplane, offering multi-cluster federation. Open and closed source. From HashiCorp. Primarily written in Go.


Linkerd is hosted by the Cloud Native Computing Foundation (CNCF) and has undergone two major releases with significant architectural changes and an entirely different code base used between the two versions.


The first version of Linkerd was built on top of Twitter Finagle. Pronounced “linker-dee”, it includes both a proxying data plane and control plane, Namerd (“namer-dee”), all in one package. Open source. Written primarily in Scala.

  • Data plane can be deployed in a node proxy model (commonly) or in a proxy sidecar (not common). Proven scale, having served more than one trillion service requests.
  • Supports services running within container orchestrators and as standalone virtual or physical machines.
  • Service discovery abstractions to unite multiple systems.
  • Linkerdv2

    The second major version of Linkerd is based on a project formerly known as Conduit, a Kubernetes-native and Kubernetes-only service mesh announced as a project in December 2017. In contrast to Istio and in learning from Linkerdv1, Linkerdv2’s design principles revolve around a minimalist architecture and zero configuration philosophy, optimizing for streamlined setup.

  • Open Source. From Buoyant. Control-plane written in Go. Hosted by the CNCF.
  • Support for gRPC, HTTP/2, and HTTP/1.x requests plus all TCP traffic. Currently only supports Kubernetes.
  • Istio

    Announced as a project in May 2017, Istio is considered to be a “second explosion after Kubernetes” given its architecture and surface area of functional aspiration.

  • Supports services running within container orchestrators and as standalone virtual or physical machines.
  • Was the first service mesh to promote the model of supporting automatic injection of service proxies as sidecars using Kubernetes Admission controller.
  • Many projects have been built around Istio. Commercial, closed source offerings built around Istio include: AspenMesh, VMware Tanzu Service Mesh, Octarine (acquired by VMware in 2020). Commercial, closed source offerings built inside of Istio include Citrix Service Mesh To be built “within Istio” means to offer the Istio control plane with an alternative service proxy. Citrix Service Mesh displaces Envoy with CPX. Open source, data plane proxy, MOSN released support for running under Istio as the control plane, while displacing Envoy as the service proxy.
  • Many projects have been built within Istio.
  • Mesher. Layer 7 (L7) proxy that runs as a sidecar deployable on Huawei Cloud Service Engine. Open source. Written primarily in Go. From Huawei.
  • NGINX Service Mesh

    NGINX Service Mesh is a more recent arrival into the service mesh arena, having released in September 2020. Using an Nginx Plus augmented to interface with Kubernetes natively as its dataplane, supports ingress and egress gateways through NGINX Plus Kubernetes Ingress Controllers. NGINX Service Mesh offers its control plane as a CLI, meshctl, using the Service Mesh Interface (SMI) specification as its API. Both Open and closed source. From NGINX. Primarily written in C.

    Others including Open Service Mesh, Maesh, Kuma, App Mesh...

    This list is meant to give you an idea of the wide range of service meshes that are currently available. A complete list of service meshes and their details may be found in the Layer5 service mesh landscape, maintained by the community.

    Management Plane

    The management plane sits a level above the control plane. It can perform various tasks such as operational patterns, business system integration, and application logic enhancement while functioning across different service meshes. A management plane can perform workload and mesh configuration validation, whether in preparation for onboarding a workload into the mesh or as you upgrade to new versions of components running your control and data planes or new versions of your applications. Management planes help organizations running a service mesh get the most out of their investment. Performance management is one part of maintaining service meshes, a function at which Meshery excels.


    the cloud native management plane for adopting, operating and developing on different service meshes. Meshery integrates business processes and application logic into service meshes by deploying custom WebAssembly (WASM) modules as filters in Envoy-based data planes. It provides governance, policy and performance and configuration management of service meshes with a visual topology for designing service mesh deployments and managing the fine-grained traffic control of a service mesh. - Open source. Created by Layer5. Primarily written in Go.

    Service Mesh Linguistics

    As the lingua franca of the cloud-native ecosystem, Go is certainly prevalent and you might expect most service mesh projects to be written in Go. By the nature of their task, data planes must be highly efficient in the interception, introspection, and rewriting of network traffic. As a data plane component, Envoy is written in C++11 because it provides excellent performance (surprisingly, some say it provides a great developer experience). Rust has found its way into service meshes as a growing language (and something of a C++ competitor). Because of its properties around efficiency (outperforming Go) and memory safety (when written to be so) without garbage collection, Rust has been used for Linkerdv2’s data plane component, for the former nginMesh’s Mixer module (see “How to customize an Istio service mesh”), and is now being used in WebAssembly programs as data plane filters (see “Write WASM filters for Envoy in Rust and deploy with Consul”).

    Get started with MeshMap!

    Explore and understand your infrastructure at a glance with our powerful visualizer tool. Gain insights, track dependencies, and optimize performance effortlessly.


    Related Resources

    Layer5, the cloud native management company

    An empowerer of engineers, Layer5 helps you extract more value from your infrastructure. Creator and maintainer of cloud native standards. Maker of Meshery, the cloud native manager.