The information in this documentation is geared towards users that want to use Gloo Gateway proxies with the Kubernetes Gateway API. If you want to use the Gloo Edge API instead, see the Gloo Gateway (Gloo Edge API) documentation.
Ingress to ambient mesh
Use Gloo Gateway as the ingress gateway for your ambient mesh.
info
Looking for instructions on how to use Gloo Gateway as the ingress for a sidecar service mesh? Check out Ingress to Istio sidecar mesh.
Solo collaborated with Google to develop ambient mesh, a new “sidecarless” architecture for the Istio service mesh. Ambient mesh uses node-level ztunnels to route and secure Layer 4 traffic between pods with mutual TLS (mTLS). Waypoint proxies enforce Layer 7 traffic policies whenever needed. To onboard apps into the ambient mesh, you simply label the namespace the app belongs to. Because no sidecars need to be injected in to your apps, ambient mesh significantly reduces the complexity of adopting a service mesh.
In this guide, you learn how to use Gloo Gateway as the ingress gateway to route traffic to the httpbin app that is part of an ambient service mesh.
This guide assumes that you run your ambient mesh in a single cluster and want to use Gloo Gateway as the ingress gateway to protect your ambient mesh services.
Gloo Gateway as an ingress gateway to your ambient mesh
Gloo Gateway as an ingress gateway to your ambient mesh
Set up an ambient mesh in your cluster to secure service-to-service communication with mutual TLS.
Ambient mesh with the Solo distribution of Istio: Follow the instructions in the Gloo Mesh Core documentation to Deploy Istio in ambient mode. These instructions use the Solo distribution of Istio, which is a hardened Istio image provided by Solo. You do not need to create an Istio ingress gateway, as you configure Gloo Gateway as the ingress gateway for your ambient mesh.
Community ambient mesh: You can install the community version of ambient mesh by following the ambient mesh quickstart tutorial. This tutorial uses a script to quickly set up an ambient mesh in your cluster. You do not need to create an Istio ingress gateway, as you configure Gloo Gateway as the ingress gateway for your ambient mesh.
To set up Gloo Gateway as the ingress gateway for your ambient mesh, you simply add all the namespaces that you want to secure to your ambient mesh, including the namespace that your gateway proxy is deployed to.
Add the gloo-system and httpbin namespaces to your ambient mesh. Use the same command to add other namespaces in your cluster.
Send a request to the httpbin app and verify that you get back a 200 HTTP response code. All traffic from the gateway is automatically intercepted by a ztunnel that is co-located on the same node as the gateway. The ztunnel collects Layer 4 metrics before it forwards the request to the ztunnel that is co-located on the same node as the httpbin app. The connection between ztunnels is secured via mutual TLS.
Verify that traffic between the gateway proxy and the httpbin app is secured via mutual TLS. Depending on your setup, you can choose between the following options.
Because traffic in an ambient mesh is intercepted by the ztunnels that are co-located on the same node as the sending and receiving service, you can check the logs of the ztunnels.
Find the NODE that the httpbin app runs on.
kubectl get pods -n httpbin -o wide
Example output:
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
httpbin-54cf575757-hdv8t 3/3 Running 0 22h 10.XX.X.XX gke-gloo-gateway-ambient-default-pool-bb9a8da5-bdf4 <none> <none>
Find the ztunnel that runs on the same node as the httpbin app.
kubectl get pods -n istio-system -o wide | grep ztunnel
Check the logs of that ztunnel instance and verify that the source and destination workloads have a SPIFFE ID.
If you installed Gloo Mesh Core, you can use the Gloo UI to verify that traffic between services is secured via mutual TLS.
Open the Gloo UI.
meshctl dashboard
Go to Observability > Graph.
Verify that you see a lock icon for traffic between the gateway proxy and the httpbin app as shown in the following image.
If you installed Gloo Mesh Core, you can open the built-in Prometheus expression browser to verify that traffic between services is secured via mutual TLS.
Port-forward the built-in Prometheus expression browser.
Enter istio_requests_total{destination_workload_namespace="httpbin"} into the query field and review the results. Verify that you see a SPIFFE ID for the source and destination workload and that the connection_security_policy is set to mutual_tls.
Example output:
Now that you set up Gloo Gateway as the ingress gateway for your ambient mesh, you can further control and secure ingress traffic with Gloo Gateway policies.