Key concepts
In order to best understand ambient mesh, it is useful to familiarise youself with some key concepts.
Configuration
Gateway API
The Gateway API is a collection of APIs that are part of Kubernetes, focusing on traffic routing and management. The APIs are inspired by, and serve many of the same roles as, Kubernetes’ Ingress and Istio’s legacy VirtualService and Gateway APIs.
In ambient mesh, the Gateway API is used to configure gateways and waypoints: at the edge of the mesh, and at the edge of a service inside the mesh, respectively.
Services and endpoints
At the highest level, a service is a grouping of replicas of an application. Each replica normally has its own endpoint (IP address), and the service provides an IP address or DNS name which is used to load-balance connections.
It can be helpful to break this concept down into two facets:
-
The frontend of the Service is the combination of the cluster IP and its DNS name.
-
The backend of the Service is the collection of endpoint IPs.
Learn more about service facets in the Gateway API.
Implementation details
These are terms you may see used throughout the documentation, or which are helpful for debugging, but you do not need to consider when configuring ambient mesh:
HBONE
HBONE (HTTP-Based Overlay Network Environment) is a secure tunneling protocol used in ambient mesh. It is a mechanism to transparently multiplex TCP streams related to many different application connections over a single, mTLS encrypted network connection (an encrypted tunnel).
HBONE is Istio’s name for the combination of three open standards:
HTTP CONNECT is used to establish a tunnel connection, mTLS is used to secure and encrypt that connection, and HTTP/2 is used to multiplex application connection streams over that single secured and encrypted tunnel, and convey additional stream-level metadata.
HBONE is traditionally sent over port 15008
.
xDS
The xDS APIs are a data plane configuration API. “DS” stands for Discovery Service, and “x” refers to the many various features of the data plane which can be configured, including endpoints, listeners, routes and secrets.
It is the protocol used to communicate configuration and environmental state between the istiod control plane and the ambient data plane proxies (ztunnel and waypoints).