Using the management plane with ambient mesh
Learn about the benefits of deploying the Solo Enterprise for Istio management plane alongside your ambient mesh.
When you deploy an ambient mesh with the Solo Enterprise for Istio management plane, you get enhanced lifecycle management, observability, and insights specifically tailored for ambient mode. The management plane is optional and can be added alongside any Istio installation.
Lifecycle benefits for ambient mesh
Simplified Istio installation with Gloo Operator
By using the Gloo Operator to manage your ambient mesh, you no longer need to manually install and manage the istiod control plane, Istio CNI, ztunnels, and other ambient components. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into a fully managed ambient mesh installation.
The operator can detect your cluster platform and set the appropriate fields required for that platform, reducing both the amount of configuration required and the overhead to manage Istio resources.
To get started, see the Gloo Operator installation guide for ambient.
Automated waypoint deployment
If you deploy an ambient mesh and require waypoint proxies to apply Layer 7 policies, you can use versions 1.25 and later of the Solo distribution of Istio to automate the waypoint deployment. Instead of manually creating a waypoint proxy resource, and then labeling a namespace, service, or service entry to use that waypoint, you can simply label the namespace, service, or service entry with istio.io/use-waypoint=auto. Istiod automatically creates the appropriate waypoint and applies it to your target resource.
Note that this automation currently only creates waypoints with the istio-waypoint Gateway class. For more information, see About waypoints.
Multicluster peering (beta)
Automated multicluster peering is a beta feature. Do not use this feature in production deployments. For more information, see Solo feature maturity.
Multicluster mesh capabilities require an Enterprise level license for Solo Enterprise for Istio. If you do not have one, contact an account representative.Automated peering requires Istio to be installed in the same cluster that the Gloo management plane is deployed to.
In multicluster setups, you can configure Solo Enterprise for Istio to automate multicluster mesh peering by including the --set featureGates.ConfigDistribution=true setting in your management plane installation. Then, you use the istioctl multicluster expose command included in the Solo distribution of Istio to quickly create east-west gateways. The Gloo management plane watches for these east-west gateways, and generates one istio-remote resource in the management cluster for each connected workload cluster. Solo Enterprise for Istio then distributes the gateway to each cluster respectively. These gateways use the istio-remote GatewayClass, which allows the istiod control plane in each cluster to discover the east-west gateway addresses of other clusters.
Note that because the istio-remote resource requirement for automated peering is lightweight, scaling automated peering up to multiple clusters has little impact on performance. When you add a cluster to the multicluster setup, Solo Enterprise for Istio must only distribute one additional istio-remote resource to each existing cluster, and distribute the existing istio-remote resources to the new cluster.
To get started, follow the Gloo Operator guides to install an ambient or sidecar multicluster mesh.
Observability for ambient workloads
Get instant access to L4 and L7 metrics for ambient workloads and visualize them with the Gloo UI. Metrics are automatically collected by the ztunnels and waypoint proxies, and are scraped by the built-in Prometheus server.
With the management plane, you can:
- Monitor ambient mesh health across single or multiple clusters
- View ztunnel and waypoint proxy status and performance
- Track mTLS connections between workloads
- Analyze traffic patterns at both L4 and L7 layers
For more information, see Explore the UI and Telemetry architecture.
Insights for ambient mesh
Solo Enterprise for Istio comes with an insights engine that automatically analyzes your Istio setups for health issues. These issues are displayed in the UI along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment.The insights engine provides ambient-specific recommendations, such as:
- Ztunnel health and configuration issues
- Waypoint proxy optimization opportunities
- Ambient mesh enrollment problems
- mTLS connection failures in the ztunnel overlay
For more information, see Insights.
Next steps
Ready to deploy an ambient mesh with the management plane? Check out the following guides and resources to get started.
- Review the full management plane architecture.
- Install ambient mesh with the Gloo Operator.
- Explore the UI to see ambient mesh insights.
- Plan a migration from sidecar to ambient with the ambient migration guide.
- Check out the free Ambient Estimator Tool, which assesses your Istio environment to estimate potential cost savings from migrating from sidecars to a sidecarless mesh architecture.