Ambient mesh is the new architectural alternative that does not rely on sidecars for a service mesh. Istio ambient mesh enables customers to reduce costs up to 90% while simplifying operations and improving performance for their applications.
Securely connect and authenticate elements within the mesh
Auto-scaled like any other Kubernetes deployment
Making the mesh more transparent to applications
Welcome to Ambient Mesh!
Ambient mesh takes a fresh approach to simplifying the service mesh, with a specific focus on areas of architectural flexibility, security, and performance. With ambient mesh in your environment, you can:
- Simplify operations of the service mesh
- Improve application performance
- Reduce infrastructure costs
Building on the core functionality available in Istio, ambient mesh moves the proxy to the node-level for mTLS and identity. This reduces the number of proxies to manage, slashing service mesh costs by reducing the compute and memory requirements per node.
Security is never a tradeoff that customers need to worry about using ambient mesh. Istio is ready to support your Zero-Trust Security initiative with mTLS enabled by default, and it is never compromised with either sidecar or sidecar-less architectures.
How Does Ambient Mesh Work?
Ambient mesh leverages a new architecture that separates the responsibilities of zero-trust networking and Layer 7 policy handling. This is done with two new components to Istio: ztunnels and waypoint proxies.
- Ztunnels are designed to be fast, secure, and lightweight. Ztunnels are deployed per node on a cluster and enable the most basic service mesh configurations for Layer 4 networking features such as mTLS, telemetry, authentication, and L4 authorizations.
- Waypoint proxies provide Layer 7 mesh networking features such as VirtualService routing, L7 telemetry, and L7 authorizations policies.
These ztunnels and waypoint proxies work in tandem to replace sidecars found in the standard Istio service mesh implementation, delivering up to 90% reduction in overhead.
Did you miss the introduction of ambient mesh?Read the blog
Bringing Ambient Mesh to Gloo Mesh
As the founders of Istio ambient mesh, the Solo.io team played a significant role in all aspects of the project, and the ambient mesh functionality is built in to Gloo Mesh.
Gloo Mesh offers support for ambient workloads in your Kubernetes clusters at no additional cost. Simply install Istio with the ambient profile and start onboarding workloads to an ambient mesh to experience the benefits:
- Waypoint proxy lifecycle management
- Waypoint proxy customization
- Multitenancy and zero trust with Gloo workspaces
- Observability with the Gloo UI and built-in Prometheus
- Protect ambient workloads with Gloo traffic policies
- Central management with Gloo
- N-4 release support
Gloo Mesh can be easily configured to meet the needs of each application, offering the ability to mix the choice of sidecar (standard Istio architecture) or sidecar-less (Istio ambient mesh architecture) workloads.
Ambient Mesh in Action
Watch how ambient mesh is enabled for an application using Gloo Mesh to easily deploy a service mesh
- Install Istio ambient mesh and ingress and east-west gateways
- Define and configure Workspaces for different teams
- Expose the frontend application using a VirtualGateway
- Configure AccessPolicy to explicitly allow certain traffic
- Create globally addressable, multi-cluster services using VirtualDestination resource
- Show traffic between clusters in Gloo Mesh UI
Curious about how you can start using ambient mesh today with Gloo Mesh?Read the Docs