Ambient Mesh Overview
Learn about Istio's ambient mesh architecture and how it revolutionizes service mesh deployment.
Ambient mesh is available as an alpha feature in Istio 1.15+ and became beta in Istio 1.18+.
What is Ambient Mesh?
Ambient mesh is a new data plane mode for Istio that removes the need for sidecars by implementing mesh functionality in shared node-level components. This approach reduces resource consumption, simplifies operations, and provides a more seamless path to service mesh adoption.
Key Benefits
Reduced Resource Overhead
Performance
Eliminates per-pod sidecar containers, reducing memory and CPU usage by sharing infrastructure across workloads on the same node.
Simplified Operations
Operations
No need to restart applications when adding them to the mesh. Mesh functionality is applied transparently without modifying pod specifications.
Incremental Adoption
Flexibility
Start with basic connectivity and security, then gradually add advanced features like L7 policies only where needed.
Compatibility
Integration
Works with existing Kubernetes deployments without requiring changes to application manifests or container images.
Architecture Components
ztunnel (Zero Trust Tunnel)
A per-node proxy that handles L4 traffic, implements mTLS, and provides basic telemetry. Runs as a DaemonSet on each node in the cluster.
Waypoint Proxies
Optional L7 proxies deployed when advanced traffic management features are needed. Can be deployed per-namespace, per-service account, or per-service.
CNI Plugin
Configures traffic redirection to ztunnel transparently, without requiring init containers or elevated privileges.
Traffic Flow
1
L4 Processing
All traffic is intercepted by ztunnel for mTLS, basic policies, and telemetry
2
L7 Processing (Optional)
Traffic requiring L7 features is routed through waypoint proxies
3
Application Delivery
Processed traffic is delivered to the destination application
When to Use Ambient Mesh
Good Fit
- • Large-scale deployments with resource constraints
- • Gradual service mesh adoption
- • Primarily L4 security and observability needs
- • Existing applications that can't be easily modified
- • Multi-tenant environments
Consider Carefully
- • Heavy reliance on L7 traffic management
- • Complex per-workload policies
- • Applications requiring custom Envoy filters
- • Environments with strict network isolation
- • Legacy applications with non-standard networking