About ambient mesh

Solo collaborated with Google to develop ambient mesh, a new “sidecarless” architecture for the Istio service mesh. Ambient mesh uses node-level ztunnels to route and secure Layer 4 traffic between pods with mutual TLS (mTLS). Waypoint proxies enforce Layer 7 traffic policies whenever needed. To onboard apps into the ambient mesh, you simply label the namespace the app belongs to. Because no sidecars need to be injected in to your apps, ambient mesh significantly reduces the complexity of adopting a service mesh.

To learn more about ambient, see the ambient mesh documentation.

About this guide

In this guide, you learn how to use Gloo Gateway as the ingress gateway to route traffic to the httpbin app that is part of an ambient service mesh. This guide assumes that you run your ambient mesh in a single cluster and want to use Gloo Gateway as the ingress gateway to protect your ambient mesh services.

Gloo Gateway as an ingress gateway to your ambient mesh
Gloo Gateway as an ingress gateway to your ambient mesh

Before you begin

  1. Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable.

Step 1: Set up an ambient mesh

Set up an ambient mesh in your cluster to secure service-to-service communication with mutual TLS. You can use Solo.io’s Gloo Operator to install a managed ambient mesh, or manually install and manage your own ambient mesh installation.

  • Managed ambient mesh with Gloo Operator: Follow the Install Gloo-managed ambient meshes guide in the Gloo Mesh Core docs to quickly install a managed Solo distribution of Istio by using the Gloo Operator.
  • Manual ambient mesh installation:
    • Manually install a Solo distribution of Istio. The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. Note that the Solo distribution of Istio is required for a multicluster ambient mesh setup.
    • Install the community version of ambient mesh by following the ambient mesh quickstart tutorial. This tutorial uses a script to quickly set up an ambient mesh in your cluster. You do not need to create an Istio ingress gateway as you configure Gloo Gateway as the ingress gateway for your ambient mesh.

Step 2: Set up Gloo Gateway for ingress

To set up Gloo Gateway as the ingress gateway for your ambient mesh, you simply add all the namespaces that you want to secure to your ambient mesh, including the namespace that your gateway proxy is deployed to.

  1. Add the gloo-system and httpbin namespaces to your ambient mesh. Use the same command to add other namespaces in your cluster.

      kubectl label ns gloo-system istio.io/dataplane-mode=ambient
    kubectl label ns httpbin istio.io/dataplane-mode=ambient
      
  2. Send a request to the httpbin app and verify that you get back a 200 HTTP response code. All traffic from the gateway is automatically intercepted by a ztunnel that is co-located on the same node as the gateway. The ztunnel collects Layer 4 metrics before it forwards the request to the ztunnel that is co-located on the same node as the httpbin app. The connection between ztunnels is secured via mutual TLS.

  3. Verify that traffic between the gateway proxy and the httpbin app is secured via mutual TLS. Depending on your setup, you can choose between the following options.

Next

Now that you set up Gloo Gateway as the ingress gateway for your ambient mesh, you can further control and secure ingress traffic with Gloo Gateway policies.