Multi-AZ Amazon EKS cluster with Istio service mesh leverages AWS Certificate Manager Private CA for automated mTLS certificate issuance across application workloads. Traffic flows from users through an Application Load Balancer to Istio Ingress Gateway, which routes requests to application pods with Envoy sidecar proxies distributed across four t3.large worker nodes in private subnets. Istio Control Plane (istiod) integrates with ACM Private CA to provision and rotate certificates stored in Secrets Manager, enforcing zero-trust communication between services while CloudWatch monitors cluster and mesh telemetry. This architecture demonstrates production-grade service mesh security for Kubernetes teams requiring automated certificate lifecycle management and encrypted east-west traffic without manual PKI operations. Fork this diagram on Diagrams.so to customize subnet layouts, adjust worker node instance types, add observability integrations, or export as .drawio for infrastructure-as-code documentation.