01 · The production question

If Cloudflare protects the public edge, why does Kubernetes still need Istio and Envoy?

I answered this with runtime evidence rather than a product comparison. During one observation window, automated scanners tested sensitive and malformed paths against public applications. The useful question was not simply “was there an attack?” It was: where did each request stop, what did it consume, and what can each layer prove?

Cloudflare protects the origin at internet scale. Istio and Envoy protect and explain traffic at cluster scale. The application protects identity, business rules, and data. These are adjacent boundaries, not interchangeable products.

02 · One request, four owners

The request changes meaning as it crosses boundaries

Public edgeCloudflareInternet-scale filtering
Cluster edgeEnvoy gatewayTLS, policy and routing
DiscoveryRoute → ServiceStable destination
RuntimeApplication PodBusiness behavior
StateCache / databaseOnly when required
BoundaryOwner and questionControls and limit
Internet edge
CloudflareShould this request reach the origin at all?
Managed WAF, bot signals, DDoS protection, CDN, global rate limitsIt does not understand Kubernetes Services, Pods, workload identity, or mesh routes.
Cluster edge
Istio ingress / EnvoyWhich listener, route, policy, and upstream apply inside the cluster?
Gateway, HTTPRoute, AuthorizationPolicy, local rate limit, access telemetryIt cannot decide whether an authenticated user is allowed to perform a business action.
Workload boundary
Envoy sidecar / NetworkPolicyWhich workload is speaking to which service, and under which identity?
mTLS, service identity, service-to-service telemetry, network allow rulesA service mesh does not replace application authorization or database constraints.
Business boundary
ApplicationMay this actor perform this operation on this data?
Authentication, authorization, validation, per-user limits, audit eventsApplication checks happen too late to absorb volumetric internet abuse efficiently.

03 · What Istio and Envoy actually do

Istio distributes intent; Envoy applies it to live traffic

Istio is not the proxy that handles every request. istiod is the control plane: it watches Kubernetes and Istio configuration, validates policy, issues workload certificates, and translates desired behavior into xDS configuration. Envoyis the data-plane proxy that receives that configuration and applies it to connections.

Reviewed intentGitOps manifestsGateway, HTTPRoute, AuthorizationPolicy, Telemetry and mesh policy
Control planeistiodWatches desired state and distributes xDS config plus workload certificates
Gateway EnvoyPublic traffic
Sidecar EnvoyService traffic
GatewayDeclares listeners such as HTTPS on port 443.
HTTPRouteMaps a hostname and path to a Kubernetes Service.
AuthorizationPolicyAllows or denies traffic using workload and request attributes.
mTLSEncrypts service traffic and authenticates workload identity.
TelemetryProduces request metrics and access logs used by Grafana, Loki, and Kiali.
xDSThe APIs through which istiod continuously configures Envoy proxies.

04 · Evidence, not assumptions

The dashboard separated four very different outcomes

Anonymized Grafana counters for traffic stopped at the edge and traffic reaching applications
The same observation window, classified by the deepest verified processing layer. Project-specific labels are anonymized.
1.59k

Stopped by edge policy

Envoy returned 403 before a frontend or backend workload was selected.

139

Rejected during normalization

Malformed paths received 400 at the cluster boundary.

341

Reached the frontend

Suspicious paths were routed but returned 404 instead of protected content.

368

Classified by the API

The backend identified automated clients that reached an application endpoint.

Anonymized Grafana rate chart showing sustained scanner traffic
Peak traffic was about 0.42 requests per second: sustained scanning, not a volumetric DDoS event.

Volume changes the control, not the diagnosis

At this rate, Cloudflare WAF would reduce origin exposure, but the cluster still needs a policy boundary for traffic that passes the edge or reaches the origin directly. Host-level evidence was anonymized before publication.

Grafana chart comparing blocked edge requests with requests reaching the frontend
Green: rejected by policy. Yellow: rejected during normalization. Blue: reached the frontend and returned 404.
ObservedClassificationRuntime effectInterpretation
403 at ingressStoppedNo application Pod selectedPolicy decision worked
400 during normalizationStoppedNo business handler executedMalformed request rejected
404 from frontendReachedFrontend consumed some resourcesRoute absent; not a breach
5xx from frontendReachedApplication failed while handling probeHardening opportunity
2xx on a sensitive pathReachedProtected content may have been returnedPotential bypass; investigate

05 · Security and capacity

A blocked request is also application work that never happened

403Envoy rejectsPolicy matches at ingress
Frontend executionBackend handlerRedis operationPgBouncer connectionPostgreSQL query

A request rejected at the ingress still consumes some network and Envoy capacity, but it does not reserve an application connection, execute framework middleware, allocate a database session, or run a query. Cloudflare can move that rejection even farther outward; Istio provides the cluster-aware fallback and the evidence needed to prove what happened.

Grafana counters showing sensitive probe outcomes
744 probes were routed to an upstream, but zero sensitive probes reached the backend and zero returned protected content with 2xx.

Reached is not the same as breached

“Routed upstream” proves that Envoy selected a destination. It does not prove that a sensitive handler ran, protected data was read, or a successful response was returned. Those claims require correlated application logs, traces, response semantics, and data-layer evidence.

06 · What I would improve next

The dashboard closed one question and opened better ones

01

Move common abuse outward

Enable proxied DNS deliberately, use managed WAF rules, and protect the origin from direct public bypass before restricting origin access.

02

Test normalization variants

Case changes, percent encoding, and path traversal variants need positive and negative acceptance tests, not an endlessly growing deny list.

03

Keep policy evidence attributable

Every dashboard decision should link back to the owning Git manifest, Argo application, live object, request ID, and time window.

04

Measure the protection itself

Gateway saturation, policy latency, false positives, 429 behavior, and application 5xx must be monitored alongside blocked-request counts.

The result is an explainable defense path

I can distinguish traffic that never reached the cluster, traffic rejected by Envoy, traffic routed to a frontend, traffic handled by the backend, and traffic that produced a data effect. That distinction prevents both false confidence and false alarms. More importantly, it turns security from a collection of product names into a chain of owned, observable decisions.