Solo Enterprise for Istio

From microservices to agents. One mesh for everything at any scale

Your platform spans clouds, clusters, and now agentic workloads. Solo Enterprise for Istio extends Ambient Mesh to meet all of it — one control plane from microservices to MCP.

Enterprise capabilities

100M+

Pods tested

Sidecars required

Multicluster Peering

Two architectures.
One seamless mesh.

Gateway-routed mTLS peering across VPCs and clouds — no shared secrets. Direct pod-to-pod flat networking within a VPC for minimal latency. Mix both per cluster pair.

No API Server Access

Control planes peer via gateways — no shared K8s secrets.

Sub-100ms Propagation

Even at 100M pod scale across 2,000 clusters.

Resilient By Design

Tolerates peer downtime — no single point of failure.

100M Pod Scale Test

Multicluster Peering Docs

Global Service Discovery

One Global service name. Any cluster. Any instance.

Stop hardcoding cluster endpoints. With Solo Enterprise for Istio, every service is reachable from everywhere — automatic routing to the nearest healthy instance.

# From any cluster, any namespace:
curl http://orders.mesh.internal/api/v1/status

# Automatic routing to nearest healthy instance
# across us-east-1, eu-west-1, or ap-south-1

No Gateway Hops

Direct pod-to-pod across clusters.

Automatic Failover

Locality-aware load balancing built-in.

Unified Namespace

One DNS resolves to any cluster endpoint.

See Multi-Cluster in Action

Node-based L7 Observability

HTTP visibility.
Without the overhead.

Get full Layer 7 observability — HTTP methods, paths, response codes, and traces — directly from the node proxy. No waypoints required. No per-service sidecars. Just instant visibility with near-zero performance impact.

Ultra-High Performance

Less than 1% latency overhead with streaming HTTP parsing.

Safety First Design

Written in Rust for memory safety — observes without modifying traffic.

Full L7 Metrics

Request counts, latencies, response codes — all without waypoints.

Explore L7 Observability

Multicluster Peering

See everything.
Across every cluster.

Unified service graph, tracing, and metrics across all your clusters. Understand traffic flows, identify bottlenecks, and troubleshoot issues — all from a single pane of glass.

Real-Time Service Graph

Visualize dependencies and traffic flow across clusters.

Application Metrics Without Sidecars

HTTP metrics, latency, and error rates — no waypoints required.

Distributed Tracing

End-to-end request tracing across cluster boundaries.

Gloo observability dashboard showing graph view with two clusters, us-east-cluster1 and us-west-cluster2, connected with services and namespaces.

Segments

Your org structure.
Every tenant.
In your mesh.

Segments partition a mesh into logical boundaries that match how your teams actually work. Each segment gets its own domain — so mesh.platform, mesh.alpha, and mesh.bravo resolve independently, even with identical service names.

Team Isolation

Multiple teams with overlapping namespace conventions — each gets its own segment. No renaming, no conflicts.

Multi-Cluster, One Team

One segment spans multiple clusters across regions. Service discovery works across all of them as a single mesh.

Shared Platform Services

Platform team exposes auth, gateway, and monitoring across all segments. Product teams consume without collision.

Create Segments Guide

Learn About Segments

Runtime Extensions

Beyond Kubernetes.
Into your entire stack.

Extend your ambient mesh to workloads running anywhere — Amazon ECS containers, virtual machines, or legacy infrastructure. One unified mesh with mTLS security, traffic management, and observability across all your runtimes.

Amazon ECS Integration

Auto-bootstrap ECS tasks with ztunnel sidecars via simple CLI command.

Virtual Machine Support

Deploy ztunnel on any VM to join the mesh with full mTLS encryption.

AWS Lambda & Serverless

Extend mesh policies and observability to serverless functions.

Unified Security & Policies

Same L4 authorization policies work across Kubernetes, ECS, and VMs.

VM Integration Guide

ECS Integration Guide

SPIRE Integration

Identity you can prove. Not just assert.

Replace Istio's default identity model with SPIRE's hardware-rooted workload attestation. Every mTLS certificate is backed by cryptographic proof — not just a Kubernetes service account.

Node Attestation

SPIRE agent verifies workload identity via kernel-level checks.

Zero Pod Changes

No socket mounts or volumes — ztunnel acts as trusted SPIRE delegate.

Multicluster Ready

Shared root CA across clusters with per-cluster SPIRE agents.

Read the Blog Post

SPIRE Integration Docs

Agent Mesh

Your mesh just learned
to speak AI.

Deploy agentgateway as a waypoint proxy in Ambient Mesh. Get native MCP and A2A protocol awareness, context-aware security policies, and full agentic observability — all enforced by the mesh so no client can bypass it.

Context-Aware AuthZ

Policies that inspect MCP tool names, A2A agent capabilities, and JWT claims — not just source IPs.

Native Protocol Support

Built-in MCP and A2A awareness — agentgateway understands agentic flows, not just HTTP.

Rust-Powered Performance

Dramatically lower memory and CPU than Envoy — purpose-built in Rust for AI-native workloads.

Mesh-Enforced Security

Ambient mesh ensures all calls to MCP servers route through agentgateway — no bypass possible.

Context-Aware Security Blog

agentgateway Docs

Ready to see it in action?

Talk to our team about how Solo Enterprise for Istio can transform your platform — or try it yourself with a hands-on workshop.

Get Started

Hands-On Labs

Discover more

Resources to help you succeed with Istio and Ambient Mesh.

BLOG

Latest Insights & Updates

Stay up to date with the latest news, tutorials, and best practices.

Read the Blog

WEBINARS

Expert-Led Sessions

Join live webinars and watch on-demand sessions from Istio experts.

Watch Webinars

LABS

Hands-On Learning

Get hands-on experience with guided labs and workshops.

Read

Two architectures.One seamless mesh.