Overview
Review security features that are built into ambient mesh, such as mTLS, and configure further security policies.
Verifying mTLS
Ambient mesh adds mutual TLS (mTLS) encryption between all mesh-enrolled workloads by default. You can follow the community ambient mesh mTLS guide to verify mTLS connections.
Applying authorization policies on Layer 4 and 7
You can configure policies for authentication and authorization, to mitigate both internal and external threats against your data, endpoints, communication, and platform.
If you want to apply authorization policies, start by reviewing the differences between applying an authorization policy at the ztunnel (L4) versus at the waypoint (L7). Then, you can follow the guides to apply policies at the ztunnel or at the waypoint.
Workload identity and attestation
When planning your ambient mesh security setup, you might need to access and use the identites of workloads in individual connections. The following features of the Solo distribution of Istio facilitate identity lookup and workload identity attestation.
These features requires your mesh to be installed with the Solo distribution of Istio and an Enterprise-level license for Gloo Mesh. Contact your account representative to obtain a valid license.
SPIRE workload attestation: Use SPIRE node agents to attest and grant identities to ambient mesh workloads, which can be used for mTLS connections between the workloads.