What is Istio Ambient Mode?

Ambient mode is the new architectural alternative that does not rely on sidecars for a service mesh. Istio ambient mode enables customers to reduce costs up to 90% while simplifying operations and improving performance for their applications.

Welcome to Ambient Mode!

Ambient mesh takes a fresh approach to simplifying the service mesh, with a specific focus on areas of architectural flexibility, security, and performance. With ambient mesh in your environment, you can:

  • Simplify operations of the service mesh
  • Improve application performance
  • Reduce infrastructure costs

Building on the core functionality available in Istio, ambient mesh moves the proxy to the node-level for mTLS and identity. This reduces the number of proxies to manage, slashing service mesh costs by reducing the compute and memory requirements per node.

Security is never a tradeoff that customers need to worry about using ambient mesh. Istio is ready to support your Zero-Trust Security initiative with mTLS enabled by default, and it is never compromised with either sidecar or sidecar-less architectures.

Secure

Securely connect and authenticate elements within the mesh

Scale

Auto-scaled like any other Kubernetes deployment

Simplify

Making the mesh more transparent to applications

How Does Ambient Mode Work?

Ambient mesh leverages a new architecture that separates the responsibilities of zero-trust networking and Layer 7 policy handling. This is done with two new components to Istio: ztunnels and waypoint proxies.

  • Ztunnels are designed to be fast, secure, and lightweight. Ztunnels are deployed per node on a cluster and enable the most basic service mesh configurations for Layer 4 networking features such as mTLS, telemetry, authentication, and L4 authorizations.
  • Waypoint proxies provide Layer 7 mesh networking features such as Virtual Service routing, L7 telemetry, and L7 authorizations policies.

These ztunnels and waypoint proxies work in tandem to replace sidecars found in the standard Istio service mesh implementation, delivering up to 90% reduction in overhead.

Bringing Ambient Mode to Gloo Mesh

As the founders of Istio ambient mode, the Solo.io team played a significant role in all aspects of the project, and the ambient mesh functionality is built in to Gloo Mesh.

Gloo Mesh offers support for ambient workloads in your Kubernetes clusters at no additional cost. Simply install Istio with the ambient profile and start onboarding workloads to an ambient mesh to experience the benefits:

  • Waypoint proxy lifecycle management
  • Waypoint proxy customization
  • Multitenancy and zero trust with Gloo workspaces
  • Observability with the Gloo UI and built-in Prometheus
  • Protect ambient workloads with Gloo traffic policies
  • Central management with Gloo
  • N-4 release support

Gloo Mesh can be easily configured to meet the needs of each application, offering the ability to mix the choice of sidecar (standard Istio architecture) or sidecar-less (Istio ambient mesh architecture) workloads.

Ambient Mode in Action

Watch how ambient mode is enabled for an application using Gloo Mesh to easily deploy a service mesh

  • Install Istio ambient mesh and ingress and east-west gateways
  • Define and configure Workspaces for different teams
  • Expose the frontend application using a VirtualGateway
  • Configure AccessPolicy to explicitly allow certain traffic
  • Create globally addressable, multi-cluster services using VirtualDestination resource
  • Show traffic between clusters in Gloo Mesh UI

Curious about how you can start using ambient mode today with Gloo Mesh? Learn more

Cloud connectivity done right