Istio's own benchmarks — the kind of thing vendors usually bury — put ambient Istio well ahead of Cilium for encrypted, L7-style traffic: about 56% more total queries, ~20% lower tail latency, and ~20% higher queries-per-core. That's a big, concrete number that should change how platform teams pick networking primitives.
Why it's surprising: Cilium + eBPF has become the shorthand for "fast networking." But those numbers were measured with encrypted, application-layer traffic and L7 features enabled. Ambient Istio isn't magically faster at L2/L3 — it removes the sidecar hop and shifts work into a sidecar-less dataplane that still enforces L7 policies, mTLS, and telemetry. In practice that means less overhead for connection handling and better core utilization when you're doing TLS termination, routing rules, authN/Z, and rich observability.
The benchmark report doesn't say "Cilium is dead" — it shows where each approach wins. Cilium remains an excellent choice for pure L3/L4 workloads and for eBPF-accelerated dataplane primitives; ambient Istio delivers benefits when you need L7 policy, encryption, and telemetry at scale. The practical takeaway is that ambient, sidecar-less architectures now meaningfully compete with — and can outperform — eBPF-only setups for encrypted L7 workloads.
GitOps is the glue
This week's operational material shows how teams wire these pieces together. Solo.io published a hands-on tutorial for deploying Gloo Mesh with Argo CD on top of Istio's ambient mesh; the guide highlights Argo CD Application CRDs, automated sync with prune and selfHeal enabled, and multi-wave installs (istio-base, istiod, gateways) to preserve ordering and namespace scope. That multi-wave approach is the pragmatic pattern you need in production — Helm alone often isn't enough when control-plane components must land before routing rules.
On the Cilium side, community guides and demos recommend installing Cilium early in cluster bootstrap and then handing day-two management to a GitOps tool. Flux, for example, can manage HelmRelease objects and be configured to automate chart updates from Git, which is the kind of lifecycle automation CNIs need: present at node bootstrap and safely upgraded by your platform pipeline.
Progressive delivery tools such as Flagger illustrate the full-stack value: image promotion, canary ramping, and observability-driven promotion authored in Git. Flagger leverages Istio routing for traffic shifting while Flux or Argo CD manages the manifests — the control plane and deployment lifecycle become reproducible and auditable.
Take: ambient + eBPF is the right call — but it’s not a simplification
The right architecture for today isn't "pick Istio or pick Cilium" — it's a layered stack: Cilium for fast L3/L4, eBPF acceleration, and low-level dataplane primitives; Istio ambient for L7 controls, mTLS, and policy/telemetry. That's a sensible defense-in-depth move. For teams still treating the CNI as immutable or expecting a one-size-fits-all dataplane, encrypted L7 workloads expose the limits of pure L3/L4 designs.
That said, it's not free. Combining ambient Istio and Cilium increases operational complexity: bootstrap ordering, CRD and API compatibility, control-plane placement, and shared ownership of telemetry. That's why the community patterns around GitOps matter — multi-wave Argo CD installs and Flux-managed HelmRelease handoffs are operational primitives, not optional niceties. Without ordered, auditable installs and clear handoffs, you'll pay in downtime and subtle misconfigurations.
One more detail that matters: telemetry consolidation. The ecosystem is moving toward an OpenTelemetry-first model for mesh telemetry, which makes composing Istio and Cilium signals tractable. If you don't have an OTEL plan that spans both dataplanes, you'll lose observability when the two interact.
If you're designing platform networking today, stop debating whose benchmark is bigger and start designing the integration: install-time choreography, GitOps ownership, and an OTEL schema that covers both sides. My prediction: within 12–18 months most progressive platforms will ship with an Istio ambient + Cilium template — and the teams that get the GitOps handoff right will be the ones not fighting tail latency and surprise failures in production.