L4 routing in ambient mesh

In an Istio-based service mesh that runs in ambient mode, no sidecars are injected into each pod. Instead, a ztunnel is deployed as a daemon set onto each node. The ztunnel intercepts the traffic for all the pods that are deployed on the same node as shown in the following diagram.

1. For the client request to reach the product page, the traffic is first sent to the ztunnel that is deployed on the same node as the client app.
2. Then, the request is forwarded to the ztunnel that is deployed to the node where the product page app runs.
3. The ztunnel forwards the request to the product page app.
4. For the product page app to retrieve user reviews, the product page sends a request to the reviews app. The request is intercepted by the ztunnel that runs on the same node as the product page.
5. The ztunnel forwards the request from the product page app to the reviews app.

All traffic between uProxies is automatically secured via mTLS. Because no Envoy proxy is involved in the request path, all communication is routed on layer 7. Layer 4 metrics are automatically collected by the ztunnel and made available through the built-in Prometheus server in Gloo Platform.