Using Ambient Mesh
Learn how to configure and use ambient mesh features for your applications.
Ambient mesh provides layered functionality - start with L4 features and add L7 capabilities as needed.
Ambient Mesh Layers
L4
Secure Overlay LayerDefault
Provides fundamental security and observability features through ztunnel:
- • Automatic mTLS encryption between services
- • L4 authorization policies
- • Basic telemetry (TCP metrics)
- • Identity-based routing
- • FIPS compliance support
L7
Waypoint LayerOptional
Advanced traffic management through waypoint proxies:
- • HTTP/gRPC traffic routing and load balancing
- • Request-level authorization policies
- • Rich HTTP metrics and distributed tracing
- • Fault injection and circuit breaking
- • WebAssembly extensions
Configuration Workflows
Adding Applications
Add namespaces and workloads to the ambient mesh
Learn how to onboard applications to ambient mesh with namespace labels and workload selectors.
Security Configuration
Configure mTLS and authorization policies
Set up zero-trust security with automatic mTLS and fine-grained authorization policies.
Waypoint Deployment
Deploy and configure waypoint proxies
Deploy waypoint proxies for L7 traffic management and advanced policy enforcement.
L7 Features
Configure advanced traffic management
Use HTTP routing, fault injection, and other L7 features with waypoint proxies.
Key Concepts
Namespace-level Enrollment
Applications are added to ambient mesh by labeling their namespace:
kubectl label namespace production istio.io/dataplane-mode=ambientWorkload Identity
Each workload gets a cryptographic identity based on its Kubernetes service account, enabling zero-trust security without application changes.
Transparent Traffic Interception
The Istio CNI plugin automatically configures traffic redirection to ztunnel without requiring init containers or privileged access.
Selective L7 Processing
Waypoint proxies can be deployed selectively - per namespace, service account, or individual service - providing L7 features only where needed.
Best Practices
Recommended Approach
- • Start with L4 features for all services
- • Add waypoints incrementally for services needing L7 features
- • Use namespace-level waypoints for broad L7 coverage
- • Monitor resource usage and performance impact
- • Test policies in permissive mode first
Performance Tips
- • Deploy waypoints close to traffic sources
- • Use service-specific waypoints for high-traffic services
- • Configure appropriate resource limits for waypoints
- • Monitor ztunnel resource usage per node
- • Consider node affinity for waypoint placement