Hi OpenZiti Team! I would like to thank you for such a great product, it really suits us to simplify the networking part of the infrastructure. I have a question, can we use OpenZiti also as a real Service Mesh, for example, like Istio/Linkerd. Can you describe the advantages and disadvantages, at least in general terms? I am trying to plan the architecture in the network part and I am not sure I understand all the functionality of OpenZiti as it seems to be very powerful and confusing.
Hey Kinseii, sure, here is a brief description from me:
OpenZiti and Istio/Linkerd serve different purposes and are not interchangeable. While Istio/Linkerd are service meshes designed for managing east-west traffic between services within a Kubernetes environment, OpenZiti is a zero-trust overlay network built for securing and simplifying networking across any environment.
Advantages of OpenZiti over Istio/Linkerd
- Stronger Zero Trust Model: OpenZiti is built with zero trust principles, requiring authentication and authorization before establishing a connection. Istio defaults to open access unless policies are explicitly configured.
- Secure Overlay Across Any Network: Unlike Istio, which operates within Kubernetes clusters, OpenZiti works across any environment (cloud, IoT, edge, multi-cloud, on-prem).
- Eliminates Network Complexity: Removes the need for VPNs, inbound firewall rules, ACLs, public DNS, and even traditional load balancers.
- Secure North-South Traffic: OpenZiti can replace Istio ingress, providing secure connectivity over the internet/WAN without exposing services.
- Application-Integrated Access: Supports SDKs that allow applications to embed secure connectivity directly, enabling clientless and serverless deployments.
Disadvantages of OpenZiti Compared to Istio/Linkerd
- Not a Traditional Service Mesh: OpenZiti is not designed for in-cluster service-to-service communication, meaning it lacks features like L7 traffic routing, observability, and retries that Istio/Linkerd provide.
- No Built-in L7 Load Balancing: While OpenZiti handles L3/L4 load balancing, it does not provide the same granular L7 traffic management as Istio, which leverages Envoy proxies.
- Less Native Kubernetes Integration: Istio is designed specifically for Kubernetes environments, whereas OpenZiti is more flexible but may require additional integration efforts for Kubernetes-based applications.
Summary
If you need a full-featured service mesh for managing east-west traffic in Kubernetes, Istio/Linkerd may be better suited. If you want zero-trust, private, and secure connectivity across any network, OpenZiti is a stronger choice—especially for securing north-south traffic and reducing network complexity. OpenZiti can complement Istio by replacing its ingress, improving security and reducing reliance on VPNs and firewall rules.
Honestly, I know people who have said to me, "why would I need a service mesh, I am using OpenZiti", while I also know people who use both.
3 Likes
OMG! Really good comparison, thanks for the clear and quick reply! So, in the future, we can consider implementing Istio/Linkerd as well, while using the OpenZiti overlay network.
3 Likes