About ambient mesh

Ambient is an alpha feature. Alpha features are likely to change, are not fully tested, and are not supported for production. For more information, see Gloo feature maturity.

Check out the following video to see ambient mesh in action.

What is ambient mesh?

Solo collaborated with Google to develop ambient mesh, a new “sidecarless” architecture for the Istio service mesh. This architecture reduces the complexity of adopting a service mesh. You no longer have to inject a sidecar into your apps. But, you still get the benefits of Istio, such as secure mutual TLS (mTLS) for pod-to-pod communication.

Ambient mesh removes the sidecar from each pod for your apps. Instead, Istio uses node-level ztunnels to route Layer 4 traffic between apps. Waypoint proxies enforce Layer 7 traffic policies whenever needed. To onboard apps into the mesh, you simply label the namespace the app belongs to. Because no sidecar must be injected, you don't need to worry about restarting or reconfiguring your apps. Your apps automatically become part of the ambient mesh.

What is the difference between a sidecarless and sidecar architecture?

You might wonder if you should use a sidecar or sidecarless architecture. Your approach depends on the requirements that your apps need to meet. These requirements include security, visibility, and lifecycle operations. Let's take a look at the benefits each architecture offers.

For detailed information about ambient mesh, see this Istio blog. For an example of how routing works in a sidecarless vs. sidecar service mesh architecture, see Architecture.

Sidecarless architecture

The sidecarless architecture means that you do not need a sidecar in the same pod as your app. Communication between pods is still secured via mutual TLS (mTLS). This approach reduces your lifecycle operations in several ways, including:

By default, ambient mesh routes traffic over Layer 4 of the OSI networking stack. Waypoint proxies are used for Layer 7 only when needed. This networking approach also reduces complexity, including:

Sidecar architecture

A sidecar architecture, on the other hand, uses sidecars that run in each app's pod. This approach gives several security benefits, such as:

Network traffic is always on Layer 7 of the OSI networking stack. This way, you get greater visibility into the service mesh to help with things such as:

Why ambient and Gloo Mesh Enterprise?

Running ambient workloads in Gloo Mesh provides the following benefits:

For a full list of supported features, see Supported features.