Ambient mesh is the sidecar-less and lightweight version of Istio service mesh. The data plane in Istio ambient mesh is divided into two layers — security and network — meant for easy and stage-wide deployment of Istio. Currently, the open source project is in Beta mode and is developed by Google and SOLO.io.
Istio and Envoy is used by
Istio ambient mesh is lightweight and faster with the new side-car-less approach for security. Ambient mesh uses a node-level proxy for authentication and authorization without reading the HTTP packets, making it way more quickly and more efficient than its predecessor. With Ambient mesh, enterprises can realize more than 30% improvement in Istio performance and resource consumption.
Istio ‘ambient’ mesh provides a lightweight data plane that does not require sidecar injection with any microservices. Ambient mesh has distinguished data plane layers — secure overlay layer (named as ztunnel) and L7 processing layer (named as waypoint proxy) — designed to implement Istio sequentially in a phase-wise manner and tackle security concerns first.
Zero-trust tunnel or Ztunnel is an L4 processing layer designed to implement TCP routing and handle zero-trust security for traffic such as mTLS, authentication, and authorization policies. Ztunnel is an L4 agent that can be deployed (per node) as a DaemonSet workload resource in a cluster. The ztunnel leverages Kubernetes CNI to establish connections between workloads, secure communication using mTLS, collect HTTP metrics, access logs, etc.
Waypoint proxies are Envoy proxies, used to implement L7 traffic management capabilities in Istio ambient mesh. Based on the header and credentials, the proxy is capable of applying advanced networking policies such as circuit breaking, traffic shaping and splitting, retries, fault injection, etc. Waypoint proxy also helps in achieving granular authorization policies for role-based access control (RBAC).
Instead of using iptables, enterprises prefer eBPF for controlling inbound, outbound, and forward traffic. Istio ambient mesh is developed to make it compatible with eBPF, which provides additional flexibility to DevOps to create kernel-level logic for managing traffic and observability. Using eBPF (over iptables) can increase the efficiency and performance of the Istio service mesh by at least 25-30%.
Istio control plane in ambient mode will be used to define and propagate security and policies to the ztunnel and waypoint proxies. One can integrate 3rd party applications to extend the capacity of Istio for authentication, authorization, and observability. The Istio control plane will emit metrics, traffic flows and service dependencies, essential to understanding and reacting to security incidents.
~90%
Reduction on resource consumption of Istio data plane. With Ambient mesh the L4 authorization
processing is easy to set up and is less resource exhaustive.
5X
Faster in processing of security policies for all the traffic requests. Istio Ambient mesh provides
all the facilities wrt security, network management and observability with 5X more efficiency.
80%
Reduction in operation hassle for DevOps and cloud architects. Istio Ambient is easy to implement and maintain. The modular architecture of Istio allows easy integration with 3rd party security and network software.
Simplify and secure the network of distributed microservices across the cloud.
