Introduction
In Part 1 of this series, we looked at what the optimal service mesh looks like for both Platform Engineers and Application Developers, and how Istio Ambient Mesh enables these personas to meet their goals.
In this post, the second part of the series, we will discover how Ambient Mesh’s ztunnel enables teams to implement strong security for their microservices, while giving deep visibility into their microservices network traffic. As noted in the first post, adopting microservices completely changes the communication model for applications; instead of in-memory calls between modules in a monolith, all communication is done via the network.
This explosion in network traffic introduces a number of challenges, not the least being securing and monitoring that traffic. A service mesh should enable companies to adopt a strong security posture with little effort, and continuously observe that traffic for anomalies. A service mesh should provide strong workload identities, encryption between every service, workload authorization, and deep telemetry insights of service to service communication.
What Is Ambient Mesh?
In our previous blog post on the optimal service mesh, we explored the evolution of service meshes and the challenges they aimed to address. Ambient Mesh builds upon this foundation, representing a significant leap forward. It’s a modern service mesh that radically simplifies operations by removing the need for traditional sidecar proxies, making it inherently more scalable, faster, and simpler to manage.
At the heart of this innovation is ztunnel (“zero-trust tunnel”), a critical component that redefines how security and visibility are achieved within your applications. Unlike traditional service meshes where a sidecar proxy is injected alongside every service, Ambient Mesh leverages a node-level ztunnel proxy to handle traffic, and these proxies play a pivotal role in establishing and securing connections.
Deep Dive into ztunnel - Secure by Default
The "secure by default" label is not just a buzzword with ztunnel; it's a reality. One of the most compelling features of ztunnel is its ability to automatically encrypt all traffic between services. From the moment services communicate, ztunnels ensure that their interactions are protected, establishing a secure communication channel without any explicit action from developers or operations teams.
Ztunnels are node-level proxies that leverage the Istio CNI Plugin to program a pod’s network on pod startup. This redirects all inbound and outbound traffic from the pod’s network namespace to ztunnel. For outbound traffic, ztunnel sets the source workload’s identity and encrypts the traffic. At this point, the source ztunnel sends the traffic to a configured Waypoint proxy (if one is assigned to the destination), or to the destination node’s ztunnel (possibly itself). All of this communication happens in a secure overlay network called HBONE (HTTP-Based Overlay Network Environment).
Imagine a world where developers don’t have to deal with certificate management, TLS configurations, or YAML files to ensure secure communication. With ztunnel, the underlying infrastructure handles the encryption and workload identity, freeing developers to focus on creating differentiated business value.
For platform teams, this translates into unprecedented confidence. They gain the assurance that every single connection within their environment is automatically protected, significantly reducing the attack surface and simplifying compliance efforts.
Observability - Know the State of Your System
Beyond security, ztunnels provide real-time visibility into service-to-service traffic, a capability that benefits both operations and development teams. Ztunnel automatically emits the full set of TCP Istio Standard Metrics, and can be enhanced by using Waypoints for layer 7 metrics. Note that in Gloo Mesh Enterprise, layer 7 metrics are enabled in ztunnel, without the need for a Waypoint. These metrics can be shipped to enterprise observability platforms for monitoring, alerting, and troubleshooting.
With ztunnel metrics, you can:
- Detect issues early - By observing traffic patterns and connection health, ztunnels can help identify anomalies and potential problems before they escalate into full-blown outages.
- Track down performance bottlenecks faster - Detailed insights into latency, request rates, and error rates between services allow teams to pinpoint performance bottlenecks with speed and accuracy.
- Detect misconfigurations and questionable behavior - Gain a clear understanding of how your services interact, and quickly determine where misconfigurations or even non-standard behavior happens.
Business Value - Operational Efficiency and Cost Savings
The operational benefits of Ambient Mesh and ztunnels translate directly into significant business value for companies.
- Fewer moving parts, better performance, and lower costs - This is perhaps the most fundamental operational advantage. By eliminating the need for sidecar proxies, Ambient Mesh drastically reduces the number of components running within your cluster. Fewer components mean:
- Improved performance - Less resource consumption by the service mesh itself, leaving more resources for your actual applications.
- Lower costs - Reduced infrastructure footprint and lower operational overhead directly contribute to cost savings. One shared component per node replaces potentially hundreds or thousands of individual proxies, each consuming resources.
- Simplified management - A simpler architecture is inherently easier to rationalize, manage, troubleshoot, and upgrade.
- Choose when to add deeper visibility - Ambient Mesh provides a tiered approach to service mesh functionality. While ztunnels offer foundational security and basic visibility at the node level, you have the flexibility to add Waypoint proxies to handle Layer 7 concerns, and get rich Layer 7 telemetry, just for the services that require them. This "opt-in" model avoids the overhead of a full-featured service mesh where it's not needed, further optimizing resource utilization and simplifying configuration.
- Use cases - Imagine a financial institution needing to ensure every microservice interaction related to transactions is encrypted and auditable, without slowing down high-volume processing. Or an e-commerce platform that needs to quickly identify performance degradations in its recommendation engine by observing traffic to backend services, without modifying application code. In a highly regulated environment, Ambient Mesh can provide the foundational security and auditability required for compliance, while in a fast-paced development cycle, it offers the agility and low overhead that developers need.
Conclusion
Ambient Mesh’s ztunnel represents a significant evolution in the service mesh landscape. It addresses the core challenges of security and visibility in cloud-native environments by offering a streamlined, efficient, and "secure by default" approach. By eliminating sidecars and providing instant insights, it empowers development and operations teams to build, manage, and secure high-performing applications without the traditional complexity and overhead.
We invite you to get started with Ambient Mesh today! Here are ways that you can get involved:
- Check out the documentation for Ambient Mesh.
- Follow one of our hands-on labs.
- Install Ambient Mesh in a test cluster.
- Check out the enterprise features in Gloo Mesh.
%20a%20Bad%20Idea.png)
%20For%20More%20Dependable%20Humans.png)
