Skip to content

Linkerd — How It Works

Rust micro-proxy internals, sidecar injection, mTLS trust chain, and latency-aware load balancing.

Proxy Data Path

sequenceDiagram
    participant App as App Container
    participant Proxy as linkerd2-proxy (Rust)
    participant Dest as Destination Service
    participant Peer as Remote linkerd2-proxy
    participant Remote as Remote App

    App->>Proxy: TCP connect (transparent iptables intercept)
    Proxy->>Dest: Lookup service endpoints + policy
    Proxy->>Proxy: Establish mTLS (ML-KEM-768 + X25519)
    Proxy->>Peer: mTLS tunnel + HTTP/2 multiplex
    Peer->>Remote: Forward request
    Remote-->>Peer: Response
    Peer-->>Proxy: Response
    Proxy-->>App: Response

    Note over Proxy: Emits metrics:<br/>latency, success rate, RPS

EWMA Load Balancing

Linkerd uses Exponentially Weighted Moving Average — it tracks backend latency and avoids slow endpoints:

flowchart LR
    Req["Request"] --> LB["EWMA LB"]
    LB -->|"pick lowest\nlatency score"| B1["Backend A\n(EWMA: 5ms) ✅"]
    LB -.->|"avoid"| B2["Backend B\n(EWMA: 500ms) ❌"]
    LB -.->|"avoid"| B3["Backend C\n(EWMA: 200ms)"]

    style B1 fill:#2e7d32,color:#fff
    style B2 fill:#c62828,color:#fff

Sources