Enterprise Istio Ambient Mesh

Ambient mesh is the sidecar-less and lightweight version of Istio service mesh. The data plane in Istio ambient mesh is divided into two layers — security and network — meant for easy and stage-wide deployment of Istio. Currently, the open source project is in Beta mode and is developed by Google and SOLO.io.

Istio and Envoy is used by

Air Bnb
Cash App
Auto Trader
Sales Force
Air Bnb
Cash App
Auto Trader
Sales Force

Why is the Istio ambient mesh becoming popular?

Istio ambient mesh is lightweight and faster with the new side-car-less approach for security. Ambient mesh uses a node-level proxy for authentication and authorization without reading the HTTP packets, making it way more quickly and more efficient than its predecessor. With Ambient mesh, enterprises can realize more than 30% improvement in Istio performance and resource consumption.

Side-car less data plane

Istio ‘ambient’ mesh provides a lightweight data plane that does not require sidecar injection with any microservices. Ambient mesh has distinguished data plane layers — secure overlay layer (named as ztunnel) and L7 processing layer (named as waypoint proxy) — designed to implement Istio sequentially in a phase-wise manner and tackle security concerns first.

Transformed data plan

Ztunnel for achieving zero trust network

Zero-trust tunnel or Ztunnel is an L4 processing layer designed to implement TCP routing and handle zero-trust security for traffic such as mTLS, authentication, and authorization policies. Ztunnel is an L4 agent that can be deployed (per node) as a DaemonSet workload resource in a cluster. The ztunnel leverages Kubernetes CNI to establish connections between workloads, secure communication using mTLS, collect HTTP metrics, access logs, etc.

Ztunnel for achieving zero trust network Ztunnel for achieving zero trust network

Waypoint proxy to unlock advanced network capabilities

Waypoint proxies are Envoy proxies, used to implement L7 traffic management capabilities in Istio ambient mesh. Based on the header and credentials, the proxy is capable of applying advanced networking policies such as circuit breaking, traffic shaping and splitting, retries, fault injection, etc. Waypoint proxy also helps in achieving granular authorization policies for role-based access control (RBAC). 

Waypoint proxy to unlock advanced network capabilities Waypoint proxy to unlock advanced network capabilities

Enhanced Istio Ambient mesh with eBPF

Instead of using iptables, enterprises prefer eBPF for controlling inbound, outbound, and forward traffic. Istio ambient mesh is developed to make it compatible with eBPF, which provides additional flexibility to DevOps to create kernel-level logic for managing traffic and observability. Using eBPF (over iptables) can increase the efficiency and performance of the Istio service mesh by at least 25-30%.

Istio Ambient mesh with eBPF Istio Ambient mesh with eBPF

Istio control plane

Istio control plane in ambient mode will be used to define and propagate security and policies to the ztunnel and waypoint proxies. One can integrate 3rd party applications to extend the capacity of Istio for authentication, authorization, and observability. The Istio control plane will emit metrics, traffic flows and service dependencies, essential to understanding and reacting to security incidents.

Istio control plane Istio control plane

Guaranteed Outcomes of Istio Ambient Mesh


Reduction on resource consumption of Istio data plane. With Ambient mesh the L4 authorization processing is easy to set up and is less resource exhaustive.


Faster in processing of security policies for all the traffic requests. Istio Ambient mesh provides all the facilities wrt security, network management and observability with 5X more efficiency.


Reduction in operation hassle for DevOps and cloud architects. Istio Ambient is easy to implement and maintain. The modular architecture of Istio allows easy integration with 3rd party security and network software.

Istio Service Mesh and Envoy for Enterprise

Simplify and secure the network of distributed microservices across the cloud.