L7 routing in ambient mesh

In order to enforce Layer 7 traffic policies for apps in your mesh, a waypoint proxy must be deployed to the service account that your apps belong to. The waypoint proxy intercepts the communication between ztunnels so that traffic policies can be applied and L7 metrics can be collected for your apps. In the following diagram, a waypoint proxy is created for the product page. Note that a waypoint proxy is required for each service account. If multiple apps belong to the same service account, they share the same waypoint proxy.

Figure: Layer 7 routing in an ambient mesh
  1. For the request from the client app to reach the product page, the request is first routed to the ztunnel that runs on the same node as the client app.
  2. Because L7 traffic policies are applied to the product page, the ztunnel forwards the request to the waypoint proxy of the product page app. The waypoint proxy enforces the product page's traffic policies and collects L7 metrics. Traffic between the ztunnel and the waypoint proxy is secured via mTLS.
  3. After the L7 policies are applied, the request is forwarded to the ztunnel that runs on the node where the product page app is deployed. Traffic between the waypoint proxy and the ztunnel is secured via mTLS.
  4. The ztunnel forwards the request to the product page app. At the same time, L4 metrics are automatically collected by the ztunnel.
  5. Because no traffic policy is applied to the reviews app, no waypoint proxy is deployed in the reviews service account. For a request from the product page to be sent to the reviews app, the request is first sent to the ztunnel that is deployed on the same node where the reviews app runs. The ztunnel automatically collects L4 metrics.
  6. The ztunnel forwards the request to the reviews app.

With a traditional Istio sidecar architecture, all communication between apps is always routed on Layer 7. With a sidecarless architecture, traffic is routed over Layer 4 by default. Only traffic that requires Layer 7 policies is routed over Layer 7 saving cluster resources and operational costs.