Review the key components that make up the ambient mesh architecture.
The ztunnel is a zero trust, lightweight proxy that handles only Layer 4 traffic in the ambient mesh. It is deployed as a daemon set on every node of the cluster. All traffic to and from an app that is part of the ambient mesh is always redirected to the ztunnel that runs on the same node as the app itself. The ztunnel collects L4 metrics, such as the number of request or response bytes, and then forwards the request to the target app. If the target app is located on a different node, the ztunnel first forwards the request to the ztunnel that runs on the same node as the target app. Communication between ztunnel instances is secured via mutual TLS (mTLS) by default. However, traffic from the app to the ztunnel and vice versa is sent via plain text.
For more information, review the L4 and L7 routing examples in the ambient architecture page.
The waypoint proxy is a Layer 7 proxy that is shared between apps in the same service account. When you create a policy that must be enforced on Layer 7, Gloo Mesh automatically creates a waypoint proxy. If a request is sent to a target app that has L7 policies applied, the request is forwarded from the ztunnel to the waypoint proxy of the target app. The waypoint proxy enforces the L7 policy and collects L7 metrics before the request is forwarded to the ztunnel that runs on the same node as the target app. Traffic between the ztunnel and the waypoint proxy is secured via mTLS by default.
For more information, review the L7 routing example in the ambient architecture page.
Istio CNI plug-in
The Istio CNI plug-in is deployed as a daemon set on every node of the cluster and monitors all pods that are created or removed from the ambient mesh. For all pods that participate in the ambient mesh, the CNI plug-in configures the redirect from the app to the ztunnel.
Istio control plane
The Istio control plane
istiod rolls out the ambient mesh configuration to the ztunnels and waypoint proxies in the cluster and keeps this configuration up-to-date. To enable mTLS connections between ztunnels and waypoint proxies, the control plane generates the TLS certificates. At the same time, the control plane acts as a Certificate Authority (CA) to sign the certificates. The certificates are used by the ztunnels and waypoint proxies to do mutual TLS authentication.