mTLS handshakes are the biggest CPU consumer

mTLS is the biggest CPU consumer in most Istio deployments. Every new TLS connection requires a handshake involving cryptographic operations. Frequent connection churn multiplies this CPU cost across all service-to-service calls in the mesh.

Reduce TLS handshake frequency by keeping connections alive longer. Set DestinationRule trafficPolicy.connectionPool.http.maxRequestsPerConnection: 0 to never close connections based on request count. Set h2UpgradePolicy: UPGRADE to multiplex many requests over a single HTTP/2 connection, minimizing handshakes. Configure TCP keepalive with time: 7200s and interval: 75s.